Living through the covid19 pandemic has increased security demands from organizations who engage with more and more third party vendors every day. Security leaders must constantly adapt to face evolving threats and unrealistic expectations, while debunking cybersecurity myths to make their jobs easier.
With vendors, employees, customers, and other stakeholders scattered around the globe in interconnected supply chains, risk managers need to secure the organization despite this “anytime, anyway, anywhere” approach.
If this is putting too much pressure on you and your team, it’s more important than ever to prioritize your time and energy. In order to do so, you first need to reframe the role and scope of the security leader
Debunking Cybersecurity Myths
The digital presence of vendors, business units, and employees has increased significantly. Security and risk management leaders are being challenged by an increasingly aggressive threat environment, while facing the unrealistic expectation that they won’t interfere with any business process. Otherwise, they will be perceived as bottlenecks or roadblocks.
The first step to change the scenario is to identify the most common misconceptions and actively work to reframe them.
1. Cyber risk is security’s problem → Cyber risk is a business problem
In Utilities, there’s a saying that “Safety is everybody’s business”. With increased reliance on outsourcing and third party vendors, cybersecurity has become everybody’s business too. Especially when the decisions of a single user in the supply chain can have bad security outcomes for the entire organization.
The role of the CISO and the CSO has changed over the past few years. Far beyond preventing and responding to potential data breaches, they are tasked with anticipating, assessing, and actively managing new and emerging threats.
To that end, they must work with other executives across different departments to align security initiatives with broader business goals, and mitigate any risks to the organization’s mission. This requires a new level of engagement from legal, compliance, and business owners, who need to team up with security to ensure their third party relationships are secure.
Read More: How to Get Legal, Procurement, and Business Units Onboard with Security
Traditionally, supply chain buyers haven’t had a major role in cybersecurity, but they need to be more actively involved in reducing risk in this new era.
In addition, boards, executives, and senior leadership need to buy-in and have a real desire to reduce the information security risks that are out there. Cyber risk is a business problem, and its solution needs to start at the top.
Read More: Obtaining and Retaining Executive Buy-in To Your Third-Party Risk Management Program
Fortunately, we see this trend materializing as 66% of organizations plan to increase their investment in cybersecurity, according to Gartner’s Annual global survey of CIOs and technology executives. (For more risk management trends, read this post.)
2. Security is a roadblock to speed → Security enables agile and secure operations
Across industries and verticals, there’s an ad hoc approach to risk management with a lot of “fire fighting”. While it’s helpful, it’s very reactionary.
Organizations need to move to more holistic risk management programs, which are manageable and measurable to make sure they’re addressing risks in a proactive way. This means moving on from inefficient and repetitive processes, such as manual vendor risk assessments, to optimized processes that allow teams to get to the heart of data faster.
In the process of due diligence and third party risk assessments, you probably send or receive dozens of security questionnaires. Traditionally, these are completed via emails and spreadsheets with numerous follow-up messages and chasing people to answer questions or attach security certifications.
For enterprise-level organizations and their vendors, it’s possible that 90% of those questionnaires have little to do with their day-to-day business and the services they offer. That’s a drain of resources allocated to filling out irrelevant and repetitive information.
Read More: Guide to Making Risk Assessments Easier
This approach inevitably slows down the security team, which is swamped with security requests every week and is forced to start from scratch every time. Aside from risk management and compliance, security also needs to enforce other measures and controls to protect the network.
As a consequence, other teams perceive security efforts as roadblocks and might sometimes try to bypass controls and policies in order to “speed things up”. In risk assessments, this often means sales teams sending wrong or outdated security documents, to avoid involving security. (We’ve covered these efficiency issues and how to overcome them in this guide for enterprises and third party vendors.)
In order to reframe this misconception, leverage your executive buy-in to communicate across the organization the importance of protecting the enterprise network as a team effort. To increase efficiency, choose technologies that offer high levels of integration, automation, and orchestration capabilities.
Building relationships with business unit leaders, heads of sales and marketing is key as their increased technology use is leading to a higher volume and variety of information risk decisions. This will be helpful in developing a culture of cyber judgment and aligning it with evolving talent needs.
3. Perimeter security keeps the organization protected → Granular controls are essential
Organizations would usually depend on the traditional perimeter security approach, building barriers to keep intruders out of the network and trusting what’s inside. Perimeter security uses controls like firewalls and browser isolation systems to accomplish threat recognition and pattern analysis.
However, many leaders believe perimeter security is not effective on its own, and needs to be combined with other kinds of internal security controls.
Think of a VPN tunnel that would allow all traffic from a trusted vendor connection, just because it was deemed secure once. That’s not the world we live in anymore: Anything can happen in a trusted connection, including zero-day events and supply chain attacks.
So how do you enable authentication at this very granular level and for each resource? Adopting security principles like Zero Trust where essentially you don’t trust anyone, not even employees coming in from their homes; or Multi-factor authentication (MFA) to validate and protect the identity of network users.
According to an IDG survey, 52% of organizations plan to research or pilot zero trust technology in 2022, and you should too.
When it comes to vendor management and trusted connections, you can strengthen your risk assessments or periodic reassessments by asking questions about how they are protecting their remote infrastructure, or responding to the accelerated digital transformation. This will help you take a more proactive approach to security and move past traditional controls that simply are not enough in today’s world.
Are you ready debunk these cybersecurity myths in your organization? Let us show you how the ThirdPartyTrust risk management tool can help. Talk to an expert today.
Don’t let zero days be “wake up calls.”
Unpredictable vulnerabilities will be an ongoing concern for security teams inthe foreseeable future.
In this guide you will learn the fundamentals of zero days, patterns from our statistical analysis, and tips to reduce risk and remediate zero days if/when they happen.
