Cloud Hosting

While ISO/IEC 27000, the NIST Cybersecurity Framework, the Shared Assessment SIG, Cloud Security Alliance CAIQ, the Center for Internet Security Top 20 and other standards now prevail in the cybersecurity industry, the third-party risk management discipline is still fragmented in its methods. Security risk in the supply chain has increased exponentially given complex, often global supplier networks, mounting cyberthreats and increased government regulations.

In trying to keep up, companies have implemented lengthy vendor assessments that regularly prove burdensome for their internal teams to manage. Theyre also onerous for suppliers, which must respond to similar questions asked in slightly different ways by every company they sell to. That muddies data collection and makes a consistent cross-industry evaluation difficult to impossible.

For instance, during some recent research exploring hundreds of security assessment questions, my firm discovered 10 iterations of a basic question asking if a supplier conducts penetration testing! Considering questionnaires can have hundreds of questions, its easy to see the scope of the challenge.

A natural response would be to seek a set of standards for use in creating and implementing third-party risk assessment instruments. For example, the Shared Assessments Program, a global membership organization focused on best practices for third-party risk assurance, has created a useful tool with its Standardized Information Gathering (SIG) Shared Assessment. The SIG offers a great starting place for assessing risk management across 18 service provider business domains, using a common taxonomy for hundreds of questions.

The benefit of this and similar resources is that they are created by experts who evaluate a huge set of questions, intake a breadth of third-party risk management expertise and codify it. They apply an industry-agnostic, global perspective. They also continually update question banks as new information is uncovered and analyzed. Because its their core business mission, the output is high-quality, comprehensive and likely better than any company could do on its own.

As valuable as this resource can be, organizations still often modify standard SIG questions to apply their own terminology or otherwise adjust them to meet their specific risk appetite. That exacerbates the inconsistency problem.

The pentesting question dilemma is a prime example. Assessment questionnaires not aligned to a standard framework require those completing the assessment to stop, read, understand and interpret a question for any nuance contained in it. Perhaps theres even a follow-up question included. This takes time and may actually increase errors.

Instead, given the availability of rich standardized tools and expertise, its far more efficient for all concerned if organizations customize the way they apply standardized questions, mapping them back to their specific organizational risk threshold. For instance, think through which of the 18 SIG domains applies to your unique situation and select standard questions that align to your corresponding areas of risk. There are hundreds to choose from.

For those who insist that customized questions are necessary, consider standing in the vendors shoes. Read your entire assessment questionnaire and honestly consider your reaction if you were told to complete it. If youre not willing to fill it out, its the wrong thing to be sending.

Whats more, the vendor cost burden is already prohibitive. Buyers who make the process too complex and consequently too expensive stand to drive away the best vendors, which will look for paths of less resistance. Those that do stay with you will pass the costs back to you in some other form.

It ultimately comes down to time, cost and sanity. Given the extensive supply chains that so many businesses depend on, yesterdays system no longer works. Third-party security assessments will remain a critical part of effectively managing the security risk thats inherent in the supply chainbut critical doesnt have to be complicated. Instead of recreating the wheel, embracing tools already available will help all of us reach the same objectives, improve efficiencies and secure the interdependent global business ecosystem.

Read the original post:
How to Build the Right Security Assessment - Security Boulevard