Security information sharing generally aligns with threat intelligence, a collaborative opportunity to build stronger defenses and responses to active threats. However, as organizations become more sophisticated in how they defend against cybersecurity attacks and face broader regulatory compliance requirements, their security programs must gain deeper insight into how their business partners, vendors, and solutions providers protect themselves from attack. The ACSC collaborative cyberdefense study reveals opportunities organizations have in conducting these third party assessments.
Study participants pointed to third party assessments as a problem increasingly more critical to solve, given the implicit concentration of risk through shared cloud vendors. Formalized in various ways over the past two decades, the assessments are usually presented in the form of a questionnaire that any external third party completes to give a snapshot description of its ability to protect the receiving organization. With a high level of assessment consistency across organizations, they represent a key potential area for collective enhancement.
Unnecessary Duplication of Effort
Nearly all study respondents recognized tremendous duplication in security evaluation of vendors and third parties occurs across companies, presenting opportunities for gains in both efficiency and effectiveness. Most organizations use similar but different evaluation frames, driven in part by third-party standards (e.g., CSA STAR), though the evaluation process itself is completely internal for a majority of ACSC members.
As with information sharing, there are some sector-specific facilitating organizations (e.g., CyberFit for healthcare firms) to coordinate and share evaluations. Even when organizations want to collaborate, concerns raised by legal and compliance functions present coordination challenges aligning on shared criteria, given the variations across enterprises and the perceived need for firm-specific and tailored evaluations. Organizations often find it easier to keep the assessments siloed than coordinate their efforts.
However, security executives note that conditions are changing to favor assessment efficiency through collective effort. This is due in part by the vast number of external third parties even mid-sized organizations are now working with. Gone are the days of having a handful of engaged partners. Now, organizations regularly work with dozens of specialized vendors and service providers to support business functions, external third parties that each needs to be entered into the assessment process. Executives also admit they rarely verify assessment fidelity and struggle to keep them current, thereby diminishing the value of conducting the exercise at all beyond checking the compliance box.
Hidden Innovation Costs
Unspoken are the hidden costs of conducting satisfactory third party security assessments. To the organization requiring the assessment, costs include not just questionnaire reviews and follow-ups, but also those associated with conducting site visits to validate the provided information for third parties interacting with particularly sensitive business functions. The related coordination can often delay contract approvals by weeks and months, buyers and implementation managers must budget and plan for new solutions and services well in advance of the business need. Such a high barrier for entry encourages organizations to retain legacy solutions and thus can make it difficult to take timely advantage of new technology innovations. In a dynamic cybersecurity landscape where attack profiles are in constant flux, the over reliance on legacy solutions can result in sudden gaps of defense posture for the organization.
Also hidden is the impact the assessment process has on the third parties themselves. Small companies particularly are susceptible since the need to answer questionnaires and support site visits inevitably delays purchasing and adds significant business risk. This discourages young, innovative companies from engaging in more regulated industries. Those that operate in those industries may need to shift limited resources to support assessment compliance from functions meant to protect the solutions being provided. Whatever the impact, the purchasing company loses.
The ACSC sees an opportunity to improve third party assessments through stronger collective effort. Security executives agree assessments are more similar across organizations than they are different, allowing for some standardization to ease the compliance burden. Through our efforts to build trustworthy communications across our member organizations, the ACSC will continue to explore effective practices and frameworks to help reduce the unnecessary duplication of effort on common-cause problems so organizations can more efficiently tackle the big security challenges that they face.