[BreachExchange] CISOs: Make 2020 the year you focus on third-party cyber risk

Destry Winant destry at riskbasedsecurity.com
Tue Jan 28 10:22:06 EST 2020


https://www.helpnetsecurity.com/2020/01/24/third-party-cyber-risk/

While cybersecurity professionals are certainly aware of the growing
threat posed by sharing data with third parties, many seem to lack the
urgency required to address this challenge.

If there is one work-related New Year’s resolution I’d like CISOs to
make as we enter 2020, it’s to give the challenge of third-party cyber
risk the attention it needs. In fact, I no longer see this as optional
or as an extension of an enterprise risk and cybersecurity strategy,
because third-party data breaches will dominate the threat landscape
in 2020.

Data breaches and third-party cyber risk

This is not a new challenge. Headlines over the last few years are
filled with major breaches caused by hackers accessing companies’ data
through their third-party vendors.

Six years ago, attackers breached Target by using login credentials
stolen from a company that provided HVAC services to the retailer.
That breach should have been a wakeup call for enterprises and
cybersecurity vendors to address the challenge of third-party cyber
risk, but years later these types of incidents are becoming even more
frequent.

In the last year, for example, an unauthorized user gained access to
data on 11 million Quest Diagnostics patients through the company’s
partner debt-collection agency. Another bad actor accessed data on
millions of Capital One credit card applicants through a misconfigured
Amazon cloud container.

Estimates indicate that around 60 percent of data breaches are linked
to third parties, and we can expect that percentage to increase as
more companies embrace digital platforms and new operating models that
require sharing of data with partners and service providers.

Enterprise boundaries will continue to blur in 2020 with more
organizations investing in cloud computing, using file sharing
platforms such as DropBox, Google Drive or OneDrive, and connecting
more devices on the edge of their networks.

If CISOs continue to focus cybersecurity tools and resources within
the company perimeter, they are fighting the wrong battle in an
increasingly multi-front cybersecurity war.

Elevating third-party cyber risk to a C-suite and board imperative

One of the most important things CISOs can do to put the appropriate
focus on third-party cyber risk is to make it a corporate reputation
issue requiring support and oversight from C-suite and board
executives.

Along with the opportunities for greater innovation, productivity,
operational efficiency and customer engagement, digital transformation
has created new vulnerabilities across the enterprise – and beyond its
borders – that could impact corporate reputation if exploited.

With the average enterprise engaging with several hundred partners and
other third parties, it’s not a question of “if” the data will be
exposed, but of “when” and how much corporate reputation will suffer
as a result of loss of trust.

CISOs must get better at educating business leaders about these
unintended consequences of digital transformation. The reality,
however, is that 63 percent of CISOs don’t regularly report to their
boards, according to a recent Ponemon Institute study. Worse, a
stunning 40 percent of CISOs said they never report to their boards at
all. This lack of connection and accountability at the C-suite and
board level is a major problem.

What CISOs should do

CISOs in 2020 must become stronger advocates for shifting from
reactive to proactive cybersecurity postures. They must advocate for
creating more resilient and cyber-aware cultures where cybersecurity
is seen as everyone’s responsibility.

CISOs should also start to align their investments in cybersecurity
with the new reality that threats are more likely to materialize
through third parties.

That means not only assessing third parties for potential
vulnerabilities, but using new approaches and tools coming to market
that can identify actual data that a third-party inadvertently
exposed, and that can enable immediate remediation.

Are you optimistic?

I am optimistic about the cybersecurity industry’s ability to rise to
this challenge, provide those tools and help CISOs shift and elevate
their organization’s cyber posture when it comes to third-party and
other emerging risks. It’s why I left the FBI to join the industry
after 20 years working in the bureau’s cyber, counterintelligence and
counterterrorism branches.

I’ve seen firsthand how damaging third-party data leaks can be for
businesses and other institutions, and I’ve seen the struggles CISOs
undertake to just keep up.

With the right resolve and the right support from the cybersecurity
industry, CISOs can take charge of this challenge in 2020, commit to
shifting their focus toward third-party cyber risk, and engage C-suite
and board executives about the strategic importance of doing so.


More information about the BreachExchange mailing list