No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Featured

How to Enhance Information Security Efforts

The “Assumed Breach” Approach to TPISRM

by Evan Francen
March 12, 2019
in Featured, Risk
hand from computer screen deflecting red arrows

Evan Francen, CEO of FRSecure and Security Studio, makes the case for adopting a third-party information security risk management (TPISRM) program. He outlines how to get started and explains why the common excuses for ignoring the risks don’t hold water.

Third-party information security risk management (TPISRM*) is more critical today than it’s ever been. There is little doubt amongst information security experts that TPISRM is essential to the success (or failure) of your information security efforts, but the confusion in the marketplace is making it difficult to tell truth from hype. Ignoring the risks won’t make them go away, so something must be done. We just need to make sure it’s the right “thing.”

The Case for TPISRM

If the case for TPISRM isn’t obvious to you, you’re not alone. Only 16 percent of the 1,000 Chief Information Security Officers (CISOs) surveyed in a recent study claim they can effectively mitigate third-party risks, while 59 percent of these same CISOs claim their organizations have experienced a third-party data breach.[1]

Third parties are implicated in up to 63 percent of all data breaches[2] and regulators are increasingly scrutinizing how organizations handle third-party risks. Your organization can spend millions of dollars on a secure infrastructure, best-in-class training and awareness solutions and the most skilled professionals, but if you neglect to account for third-party risks, some or all of your investment is a waste.

Please let these numbers sink in for a moment. Logically, how do we deny the need for sound and cost-effective TPISRM when we know that it will decrease the likelihood and impact of a data breach? Logic says one thing, yet 57 percent of organizations don’t even have an inventory of the third parties they share sensitive information with.

Common Excuses For Not Establishing a TPISRM Program

We have other, higher-priority initiatives right now.

Most of us have dozens (maybe hundreds) of projects and tasks to complete at any given time. It’s very difficult to discount the statistics about third-party incidents and breaches and justify that it’s not a high priority for you. Difficult, but not impossible. If you can justify that other initiatives are higher priority, you should document this logic for when the inevitable happens. The numbers indicate that it’s only a matter of time before a mistake made by a third-party or negligence on their part will cause you harm.

We don’t have TPISRM in our budget.

You don’t need much, if any, money to get started with TPISRM. Start with a compiling a third-party inventory, which won’t cost you anything. If you’re creative, it won’t even cost you much time. Send an email or go talk to your finance team. Ask them to provide you with a list of all third parties your organization is paying through invoices, corporate credit card payments or employee reimbursements. Now you’ve got a start, and this could be used to justify a budget. Another important note about budget: There are several quality products on the market that can be used for less than $200 per month.

We don’t employ enough third parties for it to matter that much.

Every organization has at least one third-party relationship, and all it takes is one. Fewer third parties just means less work, not no work.

We don’t have anything that anyone would want. We’re not a target.

This fallacy has been disproven thousands of times. Don’t make the mistake of thinking you know the motivations of attackers. Some attack for money, some for notoriety, some for power, some for revenge and some just want to cause chaos. Everyone has something someone wants.

There are few valid excuses for not establishing a TPISRM program. Logically, it doesn’t make sense to not account for risks when we know that most data breaches come through third-party relationships and that other people inherently treat other people’s things (data) with less care than they do their own. The market understands this, your competitors are waking up to this and compliance officials (agencies, regulators, auditors and investigators) are using more scrutiny than ever.

Failing to establish your own TPISRM program will come with consequences – some of which may be severe.

Assumed Breach

No matter what you do, you cannot prevent a third-party breach in all cases. The goal isn’t to eliminate risk. The goal is to manage risk. A breach will happen. This is the reality or risk, so play it out.

Assumed breach is a thought or logic model. Informally (which is fine for now), it works by putting yourself mentally into a breach scenario. The best way to go through the assumed breach scenario is to ask yourself a series of questions, anticipate outcomes and predict next steps. Here’s a sample effective assumed breach scenario for TPISRM:

  1. You find out you’ve been compromised by an attacker through one of your third-party providers. What do you do?
  2. You’ve been sued in response to the breach. What questions will opposing counsel ask you?

DISCLAIMER: Although I’ve worked with dozens of lawyers on data breaches, I am not a lawyer. None of the information in this article should be considered qualified legal advice.

This is where your answers determine your defensibility. A civil case hinges on a preponderance of the evidence, and what’s often in question is whether or not you’re negligent. Negligence is a failure to behave with the level of care that someone of ordinary prudence would have exercised under the same circumstances.[3] Your answers matter. Defensible answers tip the scale in your favor, poor answers tip the scale the other way. Here are some reasonable questions you could expect from opposing counsel:

  1. Did you know that third parties cause or are implicated in a majority of all data breaches?
  2. Did you know that data breaches caused by third parties are on the rise?
  3. Do you have a third-party information security risk management program?
  4. How many third parties does your company employ?
  5. Do you classify your vendors?
  6. How many high-risk/high-impact third parties does your company employ?
  7. Do you conduct risk assessments on all high-impact third-party relationships?
  8. Do your risk assessments account for the administrative, physical and technical aspects of information security?
  9. Are all high-impact third-party relationships assessed the same way?
  10. Have you established what an acceptable level of risk is versus what is unacceptable?

A reasonable and objective assumed breach scenario would lead you to questions like the 10 outlined above. To ensure your defensibility, you should have good answers to each of the questions with as much certainty as possible. You would think that anything other than a definitively defensible answer would probably lead opposing counsel to inquire further and cause more doubt in the minds of the judge or jury.

Defensibility is very important for executive management and boards of directors. Defensibility might be the explanation for why 15 percent more boards were involved in TPISRM in 2017 versus 20161, a positive trend.

Let Logic Be Your Guide

Avoid the hype and use logic to guide your TPISRM decisions. By now, you should be convinced that you should (or must) engage in TPISRM. The assumed breach approach will help you determine what it takes to put you and your organization in a defensible position. We learned that defensibility in TPISRM requires at least the following:

  1. That you engage in TPISRM. More formality in your approach is better.
  2. A third-party inventory. You can’t defend against what you don’t know you have. You have to know who your vendors are.
  3. A third-party classification scheme. Classification shows you’ve at least considered the risks your third parties pose to you. Not all third parties are used the same way.
  4. A third-party assessment methodology. Classification drives the type and depth of the risk assessment. It only makes sense that you would scrutinize third parties who handle your most sensitive information more than you would scrutinize a third party that never handles anything.
  5. Thresholds and remediation requirements. Your organization can only tolerate so much risk, so define how much risk that is. Remediate everything below the threshold or avoid the risk altogether.

What else can you think of that makes an organization defensible with respect to TPISRM?

*My apologies for another acronym, I realize we have enough in our industry already. I use it in the article because it saves me a lot of writing and it saves you some reading.


[1] https://www.businesswire.com/news/home/20181115005665/en/Opus-Ponemon-Institute-Announce-Results-2018-Third-Party

[2] http://www.marketwired.com/press-release/soha-systems-survey-reveals-only-two-percent-it-experts-consider-third-party-secure-2125559.htm

[3] https://www.law.cornell.edu/wex/negligence

Sources

  • http://www.marketwired.com/press-release/soha-systems-survey-reveals-only-two-percent-it-experts-consider-third-party-secure-2125559.htm
  • https://www.opus.com/ponemon-2017/
  • https://www.law.cornell.edu/wex/negligence
  • https://www.businesswire.com/news/home/20181115005665/en/Opus-Ponemon-Institute-Announce-Results-2018-Third-Party

Tags: Data BreachThird Party Risk Management
Previous Post

“You’ve Come a Long Way, Baby”

Next Post

Gartner: Just 41 Percent of Workplace Misconduct Is Reported

Evan Francen

Evan Francen

Evan Francen is an information security expert with more than 25 years of “practical” information security experience. He has an ambitious mission: fix the broken industry.  Evan is the CEO of FRSecure and SecurityStudio and the author of UNSECURITY: Information Security is Failing. Breaches are Epidemic. How Can We Fix This Broken Industry? He is also the designer of VENDEFENSE, the industry-leading, fully-defensible and automated third-party information security risk management solution made for all organizations.

Related Posts

credit score gauge

Sales at All Costs? Unified Credit Risk Management Can Squash Bad Deals Before They Happen

by Matthew Debbage
March 15, 2023

The collapse of a business doesn’t usually happen all at once. There are warning signs. Late payments, legal filings and...

ProcessUnity Unify Third Party Risk and Cybersecurity Whitepaper-f

Unify Third Party Risk & Cybersecurity for Sustainable Resiliency

by Corporate Compliance Insights
March 14, 2023

Align risk reduction efforts by bringing together third-party and cybersecurity functions White Paper Unify Third-Party Risk & Cybersecurity for Sustainable...

risk cliff

Gartner: 84% of Enterprise Risk Management Teams Have Overlooked a Third-Party Issue

by Staff and Wire Reports
February 21, 2023

A staggering eight in 10 executive risk committee members say their organizations have experienced operations disruptions due to a third-party...

thread needle

Regulatory Clarity Is Coming, But Companies Still Need to Thread the Needle on ESG

by Dean Alms
February 15, 2023

A handful of ESG-related regulations are in the works or go into effect in 2023 targeting global supply chains. Despite...

Next Post
hand pushing glowing report button

Gartner: Just 41 Percent of Workplace Misconduct Is Reported

Compliance Job Interview Q&A

Jump to a Topic

AML Anti-Bribery Anti-Corruption Artificial Intelligence (AI) Automation Banking Board of Directors Board Risk Oversight Business Continuity Planning California Consumer Privacy Act (CCPA) Code of Conduct Communications Management Corporate Culture COVID-19 Cryptocurrency Culture of Ethics Cybercrime Cyber Risk Data Analytics Data Breach Data Governance DOJ Download Due Diligence Enterprise Risk Management (ERM) ESG FCPA Enforcement Actions Financial Crime Financial Crimes Enforcement Network (FinCEN) GDPR HIPAA Know Your Customer (KYC) Machine Learning Monitoring RegTech Reputation Risk Risk Assessment SEC Social Media Risk Supply Chain Technology Third Party Risk Management Tone at the Top Training Whistleblowing
No Result
View All Result

Privacy Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2022 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe

© 2022 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT