No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • CCI Magazine
    • Writing for CCI
    • Career Connection
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Library
    • Download Whitepapers & Reports
    • Download eBooks
    • New: Living Your Best Compliance Life by Mary Shirley
    • New: Ethics and Compliance for Humans by Adam Balfour
    • 2021: Raise Your Game, Not Your Voice by Lentini-Walker & Tschida
    • CCI Press & Compliance Bookshelf
  • Podcasts
    • Great Women in Compliance
    • Unless: The Podcast (Hemma Lomax)
  • Research
  • Webinars
  • Events
  • Subscribe
Jump to a Section
  • At the Office
    • Ethics
    • HR Compliance
    • Leadership & Career
    • Well-Being at Work
  • Compliance & Risk
    • Compliance
    • FCPA
    • Fraud
    • Risk
  • Finserv & Audit
    • Financial Services
    • Internal Audit
  • Governance
    • ESG
    • Getting Governance Right
  • Infosec
    • Cybersecurity
    • Data Privacy
  • Opinion
    • Adam Balfour
    • Jim DeLoach
    • Mary Shirley
    • Yan Tougas
No Result
View All Result
Corporate Compliance Insights
Home Data Privacy

Why Companies Misunderstand Third-Party Cyber Risk

by Shay Colson
August 23, 2018
in Data Privacy, Featured
security button on laptop with padlock

Rethinking How We Discuss Vulnerabilities in the Digital Supply Chain

The fundamental principle that makes the internet so powerful is the concept of connecting previously disparate systems, and yet many firms are struggling to understand the digital – and in particular, the cybersecurity – implications of their business relationships. Why is this? In short, this is a challenge of language. As cybersecurity professionals, we are failing in our duty to help explain cyber risks in a way that makes sense to those facing such risks.

We talk about the “digital supply chain” as if this is a term that will make immediate and innate sense to boards and leadership suites across the professional services world. Unfortunately, all too often, that’s not the case. “Supply chain” conjures images of factory floors, of coordinating suppliers or logistics, just-in-time production or perhaps enterprise resource planning (ERP) systems. These are the exact wrong metaphors to be conjuring, and if we are to be successful in helping our clients (internal or external) to not only understand these risks, but also mitigate them, we must change the conversation, beginning with the very words we use.

Trusted Relationships

To start, I suggest using the phrase “trusted relationships” or “partners” over terms like “digital supply chain” or “suppliers.” Traditional terminology conjures a one-way relationship, wherein the firm simply procures products or services from the supplier and then proceeds to do its value-added work. The reality of today’s relationships is much more fluid. Data flows back and forth between your firm and the third parties that support the business in more ways than most even understand. Perhaps this takes the form of sharing sensitive intellectual property or proposed merger details with an outside law firm. Perhaps it is leveraging an external provider for email or cloud storage services. These are standard practices, but the risks are rarely fully understood.

When the American Bar Association established its Cybersecurity Legal Task Force, it noted that 80 of the top 100 law firms were breached in a single year. Intellectual property and M&A information is a perpetual target for state-sponsored organizations, with recent reports from the Washington Post indicating that China has continued their efforts. Yet these trusted relationships remain critical to getting business done, forcing firms into a difficult position of having to evolve into a “trust, but verify” mindset.

Identifying and Contextualizing Relationships

Once the nomenclature has been adjusted, the next step in the evolution of evaluating risk in trusted relationships is to expand the concept and identification of these relationships and partners. The rise of cloud service providers, apps and outsourcing has created great efficiencies for many small and medium (and even large) enterprises. Firms can outsource many typical business functions (such as HR or IT) and focus on their core competencies. This does, however, bring with it additional risks. In this new arrangement, information about your employees or your systems now rests outside your walls and largely beyond your reach. If a security incident occurs with your HR software provider, it can become a very real headache very quickly, as a recent breach at an HR software-as-a-service company demonstrated.

This problem is not isolated to small firms or to startups. A robotics firm used by some of the world’s largest automakers recently revealed that over 10 years of proprietary data from over 100 companies leaked thanks to a misconfigured backup. In fact, for large organizations, it can be even more difficult to fully understand the complex web of relationships that make the business function. Still, this basic understanding is essential for any firm looking to improve their security posture. Where and how does data flow in and out of your organization? What technical or policy controls govern those data flows? Without this level of understanding, information security teams won’t be able to help procure an appropriate level of cyber insurance to cover you in the event of an incident, will struggle to develop a key management strategy for encrypting and maintaining data stored offsite or fail to implement a third-party risk management process to help highlight vulnerable vendors or data practices.

But there is hope. By implementing more deliberate, trusted relationship strategies, cybersecurity professionals can begin to change the conversation. These third-party risks are real, but they’re also manageable. Once you’ve helped your leadership understand what they are, you can help them understand how to make better-informed risk-based decisions. We’ll never eliminate risk, but the more we understand it, the better we can address it. As more firms demand improved cybersecurity posture from their partners and trusted relationships, the resulting best practices will benefit everyone else your partners work with. A rising tide, indeed.


Tags: Cyber RiskSupply ChainThird Party Risk Management
Previous Post

TRACE: Secrets in the Sky

Next Post

Mayer Brown’s Tech Talks, Episode 2: The Future of Outsourcing

Shay Colson

Shay Colson

Shay Colson, CISSP, is Senior Manager of CyberClarity360™ at Duff & Phelps. Shay joined the firm from the U.S. Department of the Treasury to lead the Assessment Team for CyberClarity360™. He has over a decade of experience in cybersecurity and information assurance, with a focus on designing and building secure systems. In his role with the U.S. Department of the Treasury, Shay led vulnerability identification and technical security efforts, including serving as Security Lead for Treasury’s cloud-based Integrated Talent Management Platform. Shay’s expertise was exercised to identify, deliver and facilitate cybersecurity and risk management strategies that improve security posture. He is an expert in the NIST Cybersecurity Framework and 800-53 control set.

Related Posts

news roundup new

Few Business Leaders Feel Fully Prepared for Challenges of 2025

by Staff and Wire Reports
June 20, 2025

Data center operators not using full slate of available sustainability tactics; companies continue to use AI without policies

polluted water

PFAS Reporting Window Delayed, but Waiting to Act on ‘Forever Chemicals’ Could Be Risky

by Cally Edgren
June 9, 2025

Technical issues on government portal give companies short reprieve

matrix numbers cybersecurity concept

Why Scalable Global Frameworks Like ISO 27001 Matter

by Sam Peters
May 29, 2025

Updated security standard addresses modern threats with expanded digital protections

GAN Integrity TPRM & AI

Where TPRM Meets AI: Balancing Risk & Reward

by Corporate Compliance Insights
May 13, 2025

Is your organization prepared for the dual challenges of AI in third-party risk management? Whitepaper Where TPRM Meets AI: Balancing...

Next Post
green outsourcing button on keyboard

Mayer Brown's Tech Talks, Episode 2: The Future of Outsourcing

No Result
View All Result

Privacy Policy | AI Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Research
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2025 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT
No Result
View All Result
  • Home
  • About
    • About CCI
    • CCI Magazine
    • Writing for CCI
    • Career Connection
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Library
    • Download Whitepapers & Reports
    • Download eBooks
    • New: Living Your Best Compliance Life by Mary Shirley
    • New: Ethics and Compliance for Humans by Adam Balfour
    • 2021: Raise Your Game, Not Your Voice by Lentini-Walker & Tschida
    • CCI Press & Compliance Bookshelf
  • Podcasts
    • Great Women in Compliance
    • Unless: The Podcast (Hemma Lomax)
  • Research
  • Webinars
  • Events
  • Subscribe

© 2025 Corporate Compliance Insights