It’s Time for the C Suite and Boards to Truly Engage in Third-Party Cyber Risk Management
Given how much businesses rely on data, cloud providers and other aspects of the digital world, cybersecurity should be a topic on every boardroom agenda today. The reality is; however, most boards of directors and c-suites are comprised of individuals who have risen up through the ranks from financial, sales or business disciplines. As such, they almost always have a lot of expertise when it comes to things like finances, metrics and policy, but often very little when it comes to cybersecurity.
While some forward-thinking companies have created c-suite positions for IT and security personnel such as chief technology officers (CTO) and chief information security officers (CISO), these are, overall, still relatively rare. When they do exist, the CTOs, CISOs and similar IT executives don’t always get an actual seat on the board, and unfortunately their voices sometimes carry less weight. Their lack of voice is then compounded by the fact that most boards and C suites assume their IT and security teams have their cybersecurity covered. But with the increasing incidence of cyber breaches (most notably, third-party cyber breaches) and cyber regulations, this assumption is going to put the board and c suite in hot water.
In a recent BDO Governance survey, only 32 percent of the board respondents said they were briefed on cybersecurity quarterly, while 54 percent of board respondents said they were briefed at least annually, and 9 percent said not at all. Surprisingly, 73 percent say their organizations require third parties to meet some level cyber risk requirements. Our recent study of security and IT professionals found that only 36 percent of them felt their organizations effectively assessed third-party cyber risk. This disparity illustrates the need for boards and c-suites to be more engaged with their security teams, and particularly with third-party cyber risk management.
In fact, global consulting firm Protiviti recently found a high correlation between board involvement and highly mature vendor risk management (VRM) systems. In the Protiviti study, 57 percent of companies that reported having engaged boards also enjoyed the benefits of a mature VRM framework. Couple that with the fact that it’s frequently reported that the average cost of a breach is around $4 million and third party breaches tend to be the most expensive, at $7.5 million. And once you’ve factored in the impact on brand reputation, lost business and other incidental costs, that number gets even higher. The impact of a breach is a perfect example of how an organization’s financial and technological risks blend together, and why the board should be involved in creating a Third-Party Cyber Risk Management (TPCRM) strategy.
So, how can the board get involved? The first step is having a board that understands what a TPCRM strategy is, and the benefits of such a program. A good strategy is one that includes a comprehensive program for identifying the vendor landscape, prioritizing it, assessing risk, and of course mediating any risk that is deemed unacceptable. Data should be collected through a dynamic and validated assessment that continuously monitors the internal security controls or gaps of vendors, and not just using a surface scanning tool with publicly-available data or once a year static assessment. The continuous and validated approach will make the data provided by the TPCRM more valuable to the board’s decision-making process.
The board should also ask the right questions of the IT teams. For example, ask about the entire vendor ecosystem. Do they know who the riskiest vendors are, or which vendors handle, or have access to, your company’s most sensitive or classified information? And once these factors are known, what specific steps are being taken, or are planned, to mitigate the problem? The board should also know that the most valuable TPCRM programs don’t just look at vendors that their company spends most of its money on. It looks at the entire vendor pool and takes all levels of risk into consideration – so the organization can manage cyber risk across their portfolio.
Finally, the best TPCRM strategies are a joint effort. It’s in everyone’s best interest, the board’s, the IT teams and their third party, to assess and evaluate cybersecurity. Working together makes it much easier to present a united front against any potential attackers.
At the end of the day, your organization’s finances, metrics and value are all intrinsically linked to your cybersecurity, so it’s time to start paying attention.