A panel of industry experts gathered in London this week to discuss managing third party risk, cloud and supply chain complexity amidst ever-changing regulatory frameworks.
Panelists:
Alan Rodger, senior analyst, Ovum (moderator)
Rashmi Knowles, field CTO EMEA, RSA Security
Anthony Lee, partner, DMH Stallard
Raef Meeuwisse, author, Cybersecurity for Beginners
Javier Sanchez Ureta, data officer director, Banco Sabadell
Opening proceedings, panel chair Alan Rodger said that third party risks have become high-profile, with a far greater complexity and increased risk of relying on third parties in business.
Regarding that complexity, Rashmi Knowles added that “No business is an island,” and third party risk is always on the agenda because of “the nature of how we run our businesses and go through huge digital transformations.”
What’s more, something that elevates the complexity of third party risk is the upcoming General Data Protection Regulation (GDPR), Knowles continued.
“When we think about the implications of GDPR, even if a third party has a breach, you would still be liable – so that whole priority has shifted. Third party risk has always been important but with GDPR it’s obviously something that really needs to be focused on.”
Moving the conversation on, Rodger asked Anthony Lee how, from a legal perspective, different industries have been impacted by third party and supply chain challenges.
“There’s increasing complexity in the way contracts are put together,” he said. “Sometimes you’ll have prime contracts with subcontractors sitting behind them (you get a lot of that in the cloud space), and there’s a lot of interdependencies where there are a number of suppliers into a particular customer too, so that adds complexity as well.”
Then along comes GDPR, Lee added, which brings about very specific rules about what needs to go into contracts with third parties where the third party is going to be handling personal data, and also complex rules about what goes into subcontracts. “It’s quite a nuanced area.”
What about cloud and third party issues from a business GRC standpoint, Roger asked Raef Meeuwisse.
“The most important thing for an enterprise to consider is that your information of value and where it travels to will define where you need to have effective control, security and governance,” Meeuwisse explained.
However, the first challenge is that the GRC of an organization often “comes to a grinding halt at the network perimeter,” and that isn’t a very effective approach.
The second challenge is that “what you pay for a cloud service may not reflect the risk,” Meeuwisse continued.
A third challenge is that “what you can control and configure in each cloud service varies,” so you can’t say any cloud service will be the same as another.
“All of these challenges can be resolved by extending GRC processes so they’re engineered to cover all enterprise activities wherever the information values go, but the problem is that the maturity of a lot of cloud providers really is very different. It’s the less mature cloud services that often present the higher risk.”
So do companies avoid partnering with businesses who have suffered a data breach as they see them as too big of a risk, Rodger asked Javier Sanchez Ureta.
“It’s always a risk, so we [Banco Sabadell] take this into consideration, but we’re not going to say we ‘ban’ any vendor in advance. Everyone has the chance to join us and collaborate, but it’s true that we follow the record of vendors. We look for vendors to build a good incident response management process, because we know that we can be attacked or vendors can be attacked – it’s going to happen at some point in time – so let’s be prepared for the response and test it. When we test we know how prepared a vendor is to work with us.”
As the panel drew to a close, Knowles said that one of the biggest risks surrounding GDPR with regards to managing third parties and supply chains is the elephant in the room: the process piece. “That’s the piece that organizations really struggle with.
“An area from a process perspective we often don’t talk about is training,” she added. “People that handle data everyday need to understand the implications of the policies they follow to handle that data themselves.
“Companies that do the third party piece very well actually take the time with the third parties and help bring their security posture up to be close enough to theirs so that the whole ecosystem is the right level.”
To conclude, Meeuwisse was asked to outline what businesses need to be doing to cope with the extent of the work ahead to ensure good third party/supply chain posture in the face of GDPR guidelines.
“I think mostly this is a process and policy issue,” he said. “If you have the right policies and processes it’s not that difficult, but most organizations are struggling to understand how they extend appropriate governance into other services and third parties, and to what extent they are permitted to monitor compliance on a continual basis.”
After all, there is a key difference between how you do governance internally versus on a third party, but the more savvy organizations extend their security architecture beyond their network perimeter.