Assessing the risks of working with third-party vendors is nothing new for CISOs, but it has recently become an area of renewed focus.
Increasing use of third-party software inside organizations and in supply chains has introduced new risks. Insurance firm Corvus reported that the percentage of claims it handled related to incidents with third-party vendors rose from 15% in early 2023 to 29% in early 2024.
Supply Chain Attacks Push Vetting Third-Party Vendors To The Top Of The CISO Priority List
Recent third-party attacks have highlighted the importance of vetting vendors before signing on with them. In the Acronis Cyberthreats Report, H2 2024, the Acronis Threat Research Unit highlighted two data breaches from 2024 that had their origins in third-party relationships.
In August, National Public Data, which specializes in background checks, faced a massive breach compromising 2.9 billion rows of data. The breach stemmed from an attack on a third party. And in October, A breach at Financial Business and Consumer Solutions (FBCS), a debt collection agency, exposed personal data of over 237,700 Comcast customers.
CISOs don’t always have the control they need over the process of choosing third-party vendors since many organizations have decentralized procurement processes. Also, there are often business reasons and requirements to select a less-than-perfect vendor. But it’s still the CISO’s responsibility to ensure that third-party vendor risk is assessed and managed, and to control how organizations share data with outside vendors. So, CISOs and their teams need to play an integral role in vetting vendors.
Five Questions CISOs Should Ask Critical Vendors
There are five essential questions CISOs should ask prospective vendors. But first, they need to determine how critical a vendor is in terms of business impact. It’s not necessary, for instance, to grill a caterer or a supplier of pencils about cybersecurity measures. (The possible exception might be making sure an online ordering application is secure.)
But for vendors that are going to deal with vital data in some way or who are implementing critical processes, vetting is paramount. Any prospective vendor should be willing and able to answer these questions; any hesitation or inability to answer is grounds for cutting off communication altogether.
What is the vendor’s overall security program?
For starters, CISOs need documentation. A vendor handling sensitive data or implementing important business processes should have ISO certifications and — where applicable — SOC 2 reports or similar compliance documentation readily available. Third-party verification of the vendor’s security capabilities and overall cybersecurity status are essential.
Smaller vendors may not have such documentation, in which case a comprehensive questionnaire can take its place. Without rigorous third-party verification, CISOs need to ensure that they at least have comprehensive audit rights themselves, even if they do not plan to use them. Certain regulatory regimes (such as GDPR in the EU) could compel them to have such requirements included.
But that’s just the beginning. Unbiased confirmation is necessary, but not sufficient. It paves the path for more questions.
What is the vendor doing with security development?
CISOs need to know that all software vendors have a secure development lifecycle and see some evidence of it. Vulnerability detection and remediation are critical talking points. If a vulnerability is identified or an incident does occur, what is the vendor’s service level agreement (SLA) for remedying it?
This question can open discussion about the vendor’s use of open source in developing security capabilities and managing data. Open source development isn’t inherently dangerous, but it can carry risks.
The 2024 Open Source Security and Risk Analysis (OSSRA) report found that of codebases that included a risk assessment, 84% had at least one known open source vulnerability, and 74% contained high-risk vulnerabilities. Licensing for open source-based technologies can also be tricky and lead to legal issues. CISOs need to ensure that third parties can protect not only data but also intellectual property.
What are the vendor’s own supply chain practices?
Just as you investigate your prospective vendors, third parties should do the same with the vendors they use. CISOs need to know: Is the vendor reviewing third parties, and if so, how? With attacks originating from the supply chain on the increase, every entity in the chain needs to be verified as secure and trustworthy. If a third party isn’t practicing its own due diligence, it’s putting the whole ecosystem at risk.
Are the vendor’s privacy and data protection practices compliant?
If a vendor is going to process an organization’s data, the CISO needs to ensure that the vendor’s practices for handling data meet regulatory requirements. This is the question that will most likely lead to a hesitant answer from vendors that are struggling with compliance. Anything other than absolute certainty and proof in response to this question should be a disqualifier. Compliance is nonnegotiable, and insurance of data privacy is essential.
Is the vendor insured, and how?
Cyber insurance is a critical component of any vendor’s cybersecurity position. CISOs need to know that vendors are insured and, more importantly, get the details. For instance, if the vendor has a capped liability for gross negligence, the CISO should find another vendor. The bottom line is that if an employee at a vendor does something malicious, stupid or otherwise damaging, the CISO’s organization shouldn’t be on the hook to pay for damages.
CISOs Need to Have A Seat At The Table
A massive component of a CISO’s job is protecting an organization’s data. In most organizations, there is no one else in the C-suite with the security knowledge and expertise of a CISO. As such, organizations need to put CISOs at the forefront of software procurement and supply chain investment. And CISOs need to insist that they have the opportunity to ask the questions of vendors that could prevent a data breach and help the organization avoid a disaster.
