When implementing a third-party risk management or vendor risk management (VRM) program, there are many decisions that must be made: How many levels of criticality should there be? What security requirements should be considered at each level? Which criteria will be used to evaluate the criticality of services? But most importantly, what compliance assessment mechanism should organizations use?
Since organizations cannot expect any standard to reflect their risk profile and risk management strategy, they cannot rely on a standard, certification or accreditation to assure third-party compliance with specific security requirements. Does this mean that organizations are forced to require third parties to provide evidence of their security measures or, in critical cases, to audit them themselves?
I believe that organizations have another option. They need to establish a consensus on the most efficient and effective way to measure the security of the third-party services they wish to use.
If one thinks about it, this is the same problem that states or provinces have when, for example, they want to define the speed limit of a road. Since all roads are different, and each state imposes its own laws to limit the occurrence of accidents, different roads, and even sections of the same road, have different speed limits. The key is, states have reached a consensus about having speed limits measured by the same metric and can, therefore, manage the issue simply. Since all speed is measured in miles per hour or kilometers per hour, this measure can be used to set the speed limit on each section of road to limit accidents. Though different portions of the same road may have different speed limits, having a common unit of measurement makes evaluating driver speed much simpler as the speed limit changes.
If organizations apply the same logic to this situation, they need to find a consistent measure of the level of security and apply it to the services they receive from third parties.
There are different approaches to this problem but, in my opinion, cybersecurity capability models are closest to providing the “measurement of speed.” Using these capability models that incorporate both process maturity and security robustness, organizations can effectively and efficiently understand the level of cybersecurity capabilities of any third party protecting their information or systems and check if the current level meets the need. Organizational needs are based on the criticality that they have assigned to the process, simply by mapping cybersecurity requirements to the capability categories of the chosen model. Using this method, users need not audit all of their third-party vendors individually (which is virtually impossible), but they can use a common measurement method to share with all their users to signify the level of security implemented for those third-party services. This strategy results in significant savings for both users and third-party providers.
Antonio Ramos Garcia, CISA, CRISC, CISM, Jonah, is founding partner and chief operation officer (COO) at LEET Security Rating Agency, Spain.