Best Practices in Cybersecurity: Third-Party Assurance

Standards and frameworks that grade organizational risk maturity are useful but need IT leaders to exercise due care and attention

Tom Ascroft, CISO, Unit4

Third-party assurance is now being mandated by incoming compliance regulations such as NIS2 and doing so has many obvious benefits as organizations grapple with the ever-shifting landscape of cybersecurity risks. If resources are stretched in house being able to turn to an external expert to assess risk maturity can be time saving, reassuring and a valuable way to derive an outside-in perspective. But smart CIOs and CISOs need to put guardrails in place to get the most from their investments and to understand the true nature of risks in context. 

What is third-party assurance? Effectively, the new requirement  is an attempt to ensure that the extent to which suppliers are implementing security controls to establish how safe they are for the user organization. Many readers will have seen the requirement in the context of standards and frameworks like ISO27001, which is widely deployed in Europe, and NIST and is more popular in north America. Both suggest that companies map their 3rd parties’ activities and digital supply chains to establish risks and vulnerabilities but, as we shall see, they are far from being universally used.

How’s your appetite?

One reason why third-party assurance can be challenging comes at the very beginning of the process: it’s that organizations will inevitably have varying appetites for risk. Heavily regulated sectors such as finance and pharmaceuticals and those that manage sensitive user data will tend to be significantly more risk-averse than others and a 3rd party may see things differently so a set of rules or judgments can’t apply to all.

Another issue is that many organizations simply don’t have a formal policy or statement on their risk tolerance. Without such a statement it is close to impossible to apply logical thinking about where to invest in risk management and how much time, attention, staffing and budget should be deployed.

Other issues are that organizations are often complex phenomena so understanding security risk cannot be a holistic, one-size-fits-all affair. Departments or zones within the organization will often have very different risk tolerances.

Even for those that have addressed risk tolerance diligently and documented their thinking, there are challenges. Many IT security leaders will use standard questionnaires as templates to assess their maturity: the Cloud Alliance Security Consensus Assessment Initiative Questionnaire (CAIQ) has risen in popularity with cloud apps and platforms, for example, and can be a useful lever. However, it depends on binary responses and understanding risk and maturity at a deeper level really requires a deeper level of engagement, which demands reasoned contextual responses - which many 3rd parties will not provide.

Again, not all assessments are of the same value. Querying a supplier of a commodity tool that doesn’t go near personal information, or regulated information may not be necessary so it’s sensible to consider how much value a supplier brings to the organization and calibrate the value/risk ratio accordingly. 

The A/B, Yes/No questionnaire model can lead to some odd consequences. For example, role-based access control is undoubtedly a valuable aspect of security, but some scorecards will reward vendors that have dozens of potential roles listed even though for many software programs having so many options would be unnecessary.

So, these can be useful tools to analyze issues, but they are far from foolproof.

Using sense and inference

Understanding risk isn’t easy. Often the IT leader needs to do some detective work, inferring potential risks rather than relying on a generic number or grade rating. Smart CIOs and CISOs need to stay on top of the latest intelligence and risks, read relevant reports, understand the data regulatory landscape and ask germane questions of their suppliers on many areas such as data loss prevention, access control, etc. But be realistic: most software companies will only have so much time to help so seek out publicly available information from websites and portals and only ask questions that are relevant and germane.

Ultimately, no organization is perfectly secure. Business, like life itself, is a risky business and a real belt-and-braces approach seeking minimal risk would lead to very limited scope for creativity and innovation. To defend themselves, IT leaders and their cohorts need to retain a range of options from scanning the threatscape for changing attack vectors, predicting the impacts of internal or market changes, sharing knowledge with peers, maintaining a working knowledge of the regulatory landscape, communicating risks to employees and pursuing red-team and penetration testing simulations of attacks. 

Third-party assurance is useful, but it needs to be associated with an understanding first of what risk profile the organization has and, second, with antennae fully alert to the limitations of likely responses. As the professional membership group ISACA has noted: “To maintain appropriate control over suppliers, it is important to test suppliers. The more that is done to mitigate risk, the less likely risk will arise.”

So, have a risk appetite statement and review it regularly, establish what is important to your organization, understand the level of information you need from third parties and match the level of dependence on the supplier to the depth of knowledge you need. 

Tom Ascroft, Chief Information Security Officer (CISO)

Tom joined Unit4 in February 2021 and is accountable for Unit4’s Cyber Security globally, identifying emerging security threats and developing strategies, policies, overarching controls and organizational security culture that are pivotal to mitigating them. Prior to joining Unit4, Tom was  Chief Information Security Officer at the University of Surrey where he transformed and re-shaped the Cyber Security offering with the IT Services department. Previously Tom held the Director of Information Security role across EMEA for Avanti Communications, followed by Head of Information Security Consulting for Legal & General PLC in the UK covering Information Security requests, 3rd party Cyber assurance, Penetration Testing as well as Application Testing. Tom holds an MBA from Warwick Business School.

About Unit4

Unit4's next-generation enterprise resource planning (ERP) solutions power many of the world's mid-market organizations, bringing together the capabilities of Financials, Procurement, Project Management, HR, and FP&A to share real-time information, and deliver greater insights to help organizations become more effective. By combining our mid-market expertise with a relentless focus on people, we've built flexible solutions to meet customers' unique and changing needs. Unit4 serves more than 5,100 customers globally across a number of sectors including professional services, nonprofit and public sector, with customers including Migros Aare, Southampton City Council, Metro Vancouver, Durham Catholic District School Board, Buro Happold, Peab, North Sea Port Netherlands, Save the Children International, Global Green Growth Institute and Oxfam America. For further information visit www.unit4.com.