Listen to learn how to best manage and minimize that 3rd party risk that often comes with using service providers.
"We all rely on service providers to keep our businesses afloat. I get asked all of the time, 'How do I know that this service provider is going to be careful with my data?' Service providers can elevate our risk, while at the same time giving us really important services that we need."
When using service providers, managing your third party risk can be a challenge. Paul Poh (CISSP, CISM, CRISC, CIPP/US) sits down with Host and Principal Security Analyst Jen Stone (MCIS, CISSP, CISA, QSA) to discuss how we can best manage and minimize that third party risk that often comes with using these service providers.
Listen to learn:
Resources:
Paul Poh on LinkedIn - https://www.linkedin.com/in/paulpoh/
Download our Guide to PCI Compliance! - https://www.securitymetrics.com/lp/pci/pci-guide
Download our Guide to HIPAA Compliance! - https://www.securitymetrics.com/lp/hipaa/hipaa-guide
[Disclaimer] Before implementing any policies or procedures you hear about on this or any other episodes, make sure to talk to your legal department, IT department, and any other department assisting with your data security and compliance efforts.
Hello, and welcome to the SecurityMetrics podcast. My name is Jen Stone. I'm the principal security analyst here at SecurityMetrics, and I wanna talk to you today about a very important topic. It's third party risk.
We've seen a lot of issues in the news recently. Kaseya, SolarWinds, the list goes on. We all rely on service providers to keep our businesses afloat. And I get asked all the time, how do I make sure that the service provider that's helping me is going to be careful with my data is not going to negatively affect my business?
We know that, service providers can elevate our risk while at the same time giving us really important services that we need. But let me tell you about our guest first so that you know kind of his background, where he's coming from, and and understand the the value he brings to this topic. Paul Poe is managing partner at Radical Security. I'm just gonna read a little bit of his bio, for you because memorizing it would be really hard.
But, it would be cool, but I'm just not that good at this. So Paul has over twenty five years of technology and information tech, security experience.
Same. You know what?
I think we're about the same age, Paul, to Yes. We are.
I I think we are. But, it's it's a good age to be prior to radical security. Paul was chief technology officer for a leading security ratings platform where he led multiple technology teams in building and scaling a platform that could instantaneously rate the cybersecurity posture of any company worldwide. With a background in bar both large Fortune five hundred organizations and small successful startups. Paul was also head of information security and software architecture at the largest separately managed account processor in North America where he was responsible for the protection of over a trillion dollars in assets.
He joined the account processor with the acquisition of a small highly successful provider of advanced wealth management trading tools where he designed the company's software as a service offering. I think you might already be getting the idea that when it comes to third party risk, this might have been on Paul's mind a lot through his career. An early innovator, Paul was cofounder for a managed security services provider. He fondly recalls those years where he designed a proprietor proprietary client service solution for remote management of an intrusion detection appliance while simultaneously implementing the twenty four by seven operations plan.
As a regular contributor to the third party community, Paul is a recognized leader in the educational development of third party risk assessors. He also provides advisory CECL services for several public and private companies. Paul, welcome to the show. Thank you so much for taking the time to talk to me again.
Thank you. Yeah. It's it's great to be here again, and, thanks for inviting me. So looking forward to, chatting about, third party risk.
Well, for for a lot of the people who who listen or or or watch on YouTube, third party risk is probably something we've all heard of, but but probably bears, describing again. But help help us understand exactly what it is. Put it in context.
Yeah. I mean, you know, when you think about, any business, right, no business bills everything themselves. They use subprocessors. They use other companies, you know, whether it's, you know, hosting your, applications on AWS, whether it's, using Gmail or G Suite or Office three sixty five and myriad of other, you know, solutions out there. It's your vendors. Right? So for most businesses, you know, these vendors introduce risk into the environment.
Right. You know, if if you are a bank, if you are a fintech, business, you know, you might have great security.
But, you know, what about your vendors? Your vendors that also have access to your systems. Your vendors that, you know, might be storing and processing information on on on your behalf. You know, in in the third party risk community, one of the examples that people always, talk about is the TJ Maxx credit card breach.
Right? One of the earliest and biggest credit card breaches, you know, well, maybe ten years ago now. Right? If you think about it.
You know, that that that credit card breach, you know, helped shape a lot of what we see in PCI today, and also along, the lines of, you know, why third party risk is important. Right? That breach didn't happen because the stores got breached. That breach happened because a little company called Fazio Mechanical, which probably nobody has ever heard of, was the was the, point of entry into the business, right, into all the point of sale systems.
Right.
Right? This was the company that had network connections to every store.
And what they did, it was a small mom and pop shop that did monitoring for the HVAC systems Mhmm. In the stores.
And, you know, it's it's kind of one of the reasons why in PCI today, you have, you know, this concept of, you know, CDE segregation of your networks.
Right. Yeah.
And I think that some of us have learned lessons from that and some of us have not learned lessons from that that how we, like you said, segmentation. There are a lot of organizations that don't segment their business side from their operational side. And and that's a that's one of the critical things that we've learned from, I think, third party risk management. But how you know, before we kind of delve into more examples, how does third party risk management differ from your internal security risk management?
Sure. I mean, it's it's really part of your, it's really part of how you manage your information security program. Right? It it it's it's how you manage your risk.
It it's it's a component of your your risk because you're you're when you, sign on a vendor, you are essentially extending your, attack surface onto that vendor as well.
Right?
Let's let's take banks because, you know, we do a lot of business with banks. Sure.
You know, most banks don't, you know, frankly, they they they don't, you know, they they don't run their own bank course. Right? They're not managing their own networks most times. They're not managing their firewalls.
You know, they have people, you know, in and out that are, you know, contractors or, you know, doing things for the bank, right, as part of the bank.
You know, that because they're not in the business of technology. So they they hire and they use a lot of third party vendors.
If I was to attack if I was a malicious actor and and I was to attack, you know, some hardened system, like a bank Mhmm. You know, the easiest way may not be, you know, directly at the bank. It might be through one of their vendors. If you if you think about, you know, some of the surveys that have occurred, right, like the Ponemon, IBM research, you know, breach report Mhmm. Most, you know, in the last couple of years when you look at how the the their, companies were breached, you know, about fifty percent of those breaches occurred because they went they went through a third party, through a vendor.
And and so, kind of sticking a little bit with the the, financial world, PCI.
So, a lot of, our listeners are required to follow PCI because they take credit cards. And and most of the customers that I work with have at least one service provider, but usually, they have an a whole host of of service providers that you have to list out. And PCI says you need to get an attestation of compliance or what's affectionately known in in the industry as an AOC from from that service provider. I think the intent there is to have some of that, risk management, done through the the instrument of an AOC.
Yeah. And and you know what? It's it's kinda interesting. Right? Because, you know, today, what we see a lot of is, you know, when people wanna assess how risky it is to do business with a vendor, they ask for audit documents Mhmm. Right, like the AOC, you know, if if they think it's PCI related.
You know, the most common one is a SOC two, right? At least in the United States. Right.
You know, those are great, but it really shouldn't it really shouldn't end there. You know, when you're when you're when you're trying to figure out whether if it's risky to do business with a vendor, you know, you have to actually read the SOC two. Right. Right? Not just kinda know that they have one.
There are a lot of auditors out there, and, you know, the reality is some are more comprehensive than others.
Right.
You know, some do a better job than others. You know, the other thing about, you know, audit reports like SOC two is, you know, the control environments and, what's known as the, you know, complimentary controls, the complement the complimentary user entity controls.
Right.
You know, there's an assumption that you have to have certain controls to, you know, for that for what's audited in SOC two to actually apply.
Mhmm.
You know, and and those kinds of things are really just baselines. Right? You know, other things that you have to kind of think about is, you know, your contracts with your vendors. You know, do you have provisions in there that, you know, protect you, right? You know, obligations on that vendor that they have a security program, an obligation on the vendor that if they have a data breach, they notify you.
You know, things like, you know, are they doing penetration testing?
Right.
Are they, you know, doing security awareness training?
You know, and, and, and just the fact that they have a security program and penalties associated with that. Right? Because a lot of times smaller businesses that are using, you know, third parties for, you know, data storage of critical data and and even processing.
You know, they may not have a fully fledged out third party risk program. So the very minimal thing you can do is have a contract or some security addendum that you asked the vendor to sign. Right. Yeah.
One of the things that I that I see often, is there will be groups that they're trying to get the business of another company. There they might be service providers, and they say, alright. They're asking me to prove that we have some kind of a security program in place. Or or the worst one is I've been asked to fill out this questionnaire and send it to them to show our security.
And and, I mean, I I just shudder to think what when people fill that out and send it off without even a third party assistance, when internally. Okay. I wanna get your business. I wanna show you that I'm good, and so I'm gonna fill out your questionnaire.
What value is in that?
Not to be, like, harsh or anything, but I think it's I think it's of limited utility.
It it it is actually kinda limiting. Right? So, you know and this is one of those debates that happen, you know, within the vendor risk management and then the third party risk community. You know, our question is good enough.
I think it's sort of one, you know, sort of a tool in the toolbox. Mhmm. Right?
And it's also how you use it.
You know, there are actually standardized questionnaires out there Mhmm.
That are actually very good. Right? Like, the the shares, the you know, I'm affiliated with the shared assessments group, and they have a questionnaire that's used by a lot of, you know, banks, really. You know, it was started by banks.
You know, but but we see it in, you know, utilities, companies, health care, insurance, that sort of thing.
And and really, if you are gonna use a questionnaire, you have to understand the answers, right, and you have to kinda look for tell tales.
You know, a good assessor that's assessing, you know, that's managing third party risk will be kinda be able to pick out sort of the way that a vendor kinda answers that question. Right? For example, if you ask them that they don't have a if they have a SOC two and their response is, we use a you know, we host all our things in AWS, and here's AWS SOC two.
Right.
That means they don't understand what the question is. Exactly. They don't understand, you know, risk management. Right? That those are tell tales.
Yes.
You know? And you know, I think, when, when you're looking at, you know, critical vendors, especially vendors that are, you know, processing, you know, your customer's data, you you really have to kind of understand sort of, you know, those answers that it that you're being asked.
Right.
And, you know, you ask for the SOC two. You have the, you know, you have the rights of inspection in your contract, and you might wanna invoke that. Mhmm.
Now if you're on the other side, right, if you're a service provider and you're trying to sell to and you are being asked for this kind of, stuff, you know, my advice usually is that, you know, you should think of it as almost like a free assess a free risk assessment in a way, especially if you're selling to, you know, large organizations like the tier one banks.
Right? If you're selling to, you know, one of the tier one banks, they're not just gonna accept your your your your SOC two. They're gonna have their own questionnaire. They're gonna have different teams that wanna look at their thing.
You know, and that sales cycle might might take a long time, but that process is almost like getting a a free risk assessment.
Right.
You know? And and if you think about it that way as a service provider, you know, I'll guarantee you that the buyer is gonna be more appreciative, you know, as you being an a a partner versus some adversary Right. Which is their spareity team.
Exactly. And and to your point, I think, you know, you talked about signing a contract and and taking the time during the sales process, which is the place where I don't see, the effort always going in. But once you've signed that contract, you're kinda stuck. Right?
So so making sure as someone who is going to have third party, vendor relationships and is seeking out a vendor, the time to really iron that out is during that process before you sign something. And I think it's, it's reasonable to to have a, not just to fill out this questionnaire, but a but a lot of follow-up activities to verify the information. Even if you're a small company Right. If the if the service provider is working to get your business, then they're going to want to give you good information.
And the harder they make it for you, even if you're small, the the the less likely they're going to actually be a good partner for you once you do sign.
And and, you know, if if you are, if you are looking at vendors and you are a regulated entity, you know, for example, if you are in health care, you know, if you're a fintech, you know, definitely invoke the fact that you are required by law to do this. Mhmm. Right? You know, reality is that, you know, that service provider, especially at some SaaS business, you know, they're they're gonna wanna get into that, segment, you know, because that that's that can be a lucrative segment.
Right? Health care, you know, FinServ. And, you know, it it it just makes them a better better service provider. You know, I I kind of think of third party risk as ideally inside of, like, the the Nirvana world.
Mhmm. You know, it should be collaborative, right? It should be about protecting that ecosystem where the vendor and the customer are looking, you know, are looking to sort of protect the assets or the data assets of the actual end consumer. Right?
Because at some point, if there's going to be some end consumer.
Yeah.
Right. And so let's say that you are a company, a small, medium sized company, and third party risk management just hasn't really been a big part of what you do.
And you're looking to start, what would you what do you recommend for the, is there a good framework? Is there, is there, how do they do this?
Well, you know, I, I, I just want to mention, you know, I do have an affiliate with shared assessments. They're probably the, you know, they probably have the most mature framework out there, is, is the way I kind of think of it.
And and the and the way you would start is probably with the simple things, right, which is that, first of all, understand whether if you have, you know, any shadow IT out there. Right? Like, are are you know, is when vendors get onboarded, is it just basically anybody that can do that, you know, with a credit card? Mhmm. Right? And and you really don't know sort of what your, you know, your your third party exposure is. You know, try to corral that first.
Mhmm.
You know, a good partner to work with is usually your account payables team. Right? Because they know, you know Right. Who's being paid.
And then, you know, put together sort of a procurement process. Right? The first step is to make sure that you know when new vendors come through and you know who those vendors are.
Easy things to start with is making sure that you have actual, you know, you you classify your vendors. Right? You wanna know you don't wanna spend too much time on the vendor that is, you know, I don't know, you know, you know, sort of watering the plants in the office. Right?
You know, that that's probably not a good, you know, so you you wanna have classification schemes to figure out how much risk that vendor brings into your business. Right. Right? And then start with simple things like, you know, maybe your your your tier one vendors, you definitely have to have contracts with them that have some sort of security addendum.
You know, ask them for it for SOC two. Right? Because if they're if they're b two b Mhmm. Right, they should be used to that answer that question.
Right.
You know, that those are easy ways to kinda start.
Now if you are a regulated entity, you know, you are required to do things like that. You know, if you are a, you know, if you're a covered entity under, you know, New York state's, department of financial services, for example, your financial services, you have to have a third party risk program.
Right.
If you're an insurance company, most most state laws require third party risk programs.
And then, of course, HIPAA.
That And and HIPAA. Yes.
That we HIPAA's HIPAA's kind of the ubiquitous like, we all we all can say the word, and it's it gets thrown around a lot. But but covered entities and even business associates know that they if they have third parties that could potentially affect the security of protected health information, then they should be doing these things. But it's it seems daunting for a lot of them. They're not quite sure how to start. They're not quite sure what to ask for. And so in the end, what I see is a lot of them ask for just a a business associate agreement.
Right.
But and a business associate agreement is, I think, part of it, it should be the maybe the the contractual piece that that locks in this agreement for data security, but it is not the the, the security program.
Yeah. The the the interesting thing about HIPAA though is that, you know, the HITECH Act, you know, makes the service provider sort of, you know, a covered entity as well. Yeah. Right?
Well, it makes them so that they're liable and they they they have to follow the same rules.
Yeah. For sure.
In the case of HIPAA, it's a little bit easier, right, because that service provider has to, you know, has to protect data Mhmm.
And and they become sort of a covered entity in the high-tech, HITECH Act, I believe. With financial services regulations, right, or or even, you know, utility and other things, The responsibilities on the actual service on the actual, sort of customer, right, the consumer facing business. Right? So a bank doing business with, you know, a, you know, a core processor or or a, you know, or even a marketing company, that might have access to data, you know, that that bank is gonna care a lot about third party risk because when something bad happens at the vendor Mhmm.
The regulator goes after the bank. Right? They're not gonna go after the third party. So if you're a service provider, you need to understand that and and you wanna be in the industry, you have to understand that that's why, you know, you know you know, banks, fintechs, you know, really will wanna put you through the wringer.
Definitely. So, as you've kind of worked in a third party risk space, helping people get there, what are some of the gotchas that you've seen people run into when when they're trying to assess third party risk?
You know, a lot of times it's, a lot of times, you know, if you don't really have a third party risk program, it's things like shadow IT. Right? People sort of, you know, onboarding vendors without, the knowledge of the third party risk management team.
You know, things like just resource constraints. Right? Because it can actually take a lot of time to, assess a vendor. Right? Because it's kinda like doing a risk. Like, if you if you recall doing a risk assessment yourself, you're basically now doing that risk assessment on, you know, potentially hundreds of vendors.
Right.
So you have to you have to use things to make it a little bit easier.
Right.
Right? Like questionnaires do help. Right? There are rating systems, you know, security rating systems, out there that, that, you know, will look at the external service of the vendor and, and understand sort of, you know, how, how much, you know, you know, have they suffered security breaches?
Do we see things about the the the attack surface publicly that, you know, make it look as though they have poor security hygiene? Mhmm. Right? Those are those are very helpful to have and make it very easy to assess the vendor.
And then, you know, you can also kind of look at the size of that service provider. Right. You know, if you're a smaller organization, the larger service providers are not going to be that interested in entertaining your questionnaire.
Right.
Right. But some of those larger organizations, already have prefilled questionnaires that you can just ask for. They may have a, you know, cloud assessment information questionnaire as well. Right. So you can always ask for that.
You know, and, but, but you still have to kind of look at it to make sure that, you know, if you're looking at their SOC two, that their expectations of the controls you have and the things that you have to use in their environment are things that you are using.
Right. Because just because they have a software doesn't mean your data is automatically, you know, more secure or not. Right?
So you mentioned a couple of things that that make me, kinda maybe clue people in on the idea that risk assessment is not just for the IT team. It's not just for the security team. It's not just for the technology group. Right?
And and, two of the groups that I think are key in this are your financial group, the the accounting group that that knows where the money is going, and, legal. So we see this a lot in universities where there are a lot of different budgets and a lot of different decision makers. The only way to find out who actually has, for example, PCI scope is to go to treasury and say, alright. We're you know how the money gets into your various, you know, coffers.
Where is it coming from? Who who set this up? And then that can help find the different data flows just for that specifically.
Right. But but it's not uncommon also in in maybe midsize companies, more complex companies, or or even companies that are more startups where there has been a less, defined process for what's who's allowed to spend money on what and and why.
Yeah. And and and, you know, speaking of startups, especially, you know, SaaS businesses, You know, if you're doing business if you're if you're buying services from a SaaS business, you know, it really is important to kinda, you know, do that assessment on that SaaS business. You know, one one thing that, you know, we've always kind of said and noticed that SaaS businesses love other SaaS businesses.
So you not only have to worry about your third party risk, but potentially your fourth party risk. Right? You know, if you're if you're if you're, obtaining services from some SaaS provider that, you know, is using a lot of other third parties because they're a startup and just, you know, stitching things together to to create that service, you you kinda need to know where your data is.
Right.
You, you kind of need to know, you know, are they, you know, is there any kind of, you know, forwarding of your data sort of outside of, you know, or, a boundary that you care about? Right? You know, these are things you have to kinda ask about.
The another thing that I that I've seen, with some of the groups that I that I talked to is, access controls that allow third parties access accessing your system, helping them understand that your contract with them, your agreements with them are not gonna protect you from a breach. If there is a connection to their systems, you need to protect, use it by segmentation, by logging, by monitoring, by alerting, by by whatever you have control of in your environment to put that additional layer of protection or knowledge of what's happening coming in from their environment, which is not always the, you know, protected because the assumption is, oh, well, we have this in place and they have this document that says they're secure, so we're not gonna worry about it.
Yeah. And and and and the reason why you do care a lot about that is, you know, if you think about, you know, if I'm a malicious if if I'm a malicious actor and I wanna attack, you know, lots of companies potentially, you know, what's what's what's better and and more, sort of cost effective than to go after some service provider that provides services to a lot of companies.
Right.
You know, if you think about, you know, what's been in the news like SolarWinds and Kaseya Right.
Right, it it makes sense. You know, there was, probably a few years ago, you know, a lot of attacks against, you know, MSPs.
Right?
You know, if you're a managed service provider.
And I wanted to spread ransomware, to a lot of companies, you know, it's going to be a lot easier to attack an MSP that has access to lots of other companies.
Right?
Sure.
You know, they may potentially have, you know, admin access to things like domain controllers of different companies, right? Because they're, they're managing their net, you know, active directory.
You know, they may have access to, you know, you know, the, the AWS root accounts, you know, if they're a CSP.
Those are the kinds of businesses that typically you would think that is safe to do business with, but you really want to extra care, you know, care more about how they manage their security.
Right.
If you're going to use their services.
Right. So one one of the big topics that always comes up whenever you have something like a SolarWinds or or Kaseya or one of these big third party service provider breaches, people always start talking about, well, we need regulations.
What are your thoughts on that?
You know, I I I kinda go back and forth about that. Right? So, you know, certain regulations can help, but you can't really make it too prescriptive because most times, you know, they don't really, they, they just become sort of checkbox kind of things. Right? And, and, and the problem I have with, you know, regulations is you tend to end up with regulations where you don't want to stifle the economy. So you make it very simple.
And then people say, well, I'm complying with the regulation.
And there's an assumption that that means they're secure, which isn't necessarily true.
Right. Yeah.
It's only a starting place or it's only It's it's just a starting place.
Yeah. Compliance is kind of where security starts. It's not where it ends.
And and a lot of times I I I tell people, you know, the way you interpret, and again, it comes down to your assessor, The way you look at a compliance requirement, can have a depth of security to it or not. You know? You you you can look at it in a way that will actually improve the security stands of the organization, or you can kinda skim over the top of it and just check that box. And Right. And so, that checkbox approach is not that's not what I do. It always starts with the security, but that's not the experience of of all assessors, and people need to be aware of that. So just because you have a piece of paper that says something is compliant, doesn't mean that it's compliant.
And like you, I've gone back and forth on on the question of how do we increase security awareness, understanding, the the whole grasping and and and making it important to to some of these people who don't seem to have, an incentive to take security seriously.
Yeah. And and I think that's kind of where, you know, that is potentially where regulations do help. Right? Because they it does kind of create that awareness in some cases.
It doesn't have to be, you know, it could be industry led type of set of, rules, right? Like PCI.
Right.
You know, even self regulating organizations, you know, in financial services, like, you know, FINRA, for example, you know, has groups like that.
You know, they, they tend to be geared more towards things like fraud. Right. But, but, you know, it, it does kind of set of, encompasses, you know, security in in a lot of ways.
Right. Well, I know when Sarbanes Oxley came along and c levels, found out they could actually go to jail, it changed some minds in the industry.
But but it all it seems a bit pretty heavy stick though to to, deal with some of the issues that we're looking at today. Well, I sure appreciate you coming on to talk to me about third party risk. Is there do you have any final comments on it before we wrap this up?
You know, I, I, I guess, you know, my comment would be, you know, just remember that whenever you onboard a vendor, you know, you're really increase. You're not decreasing your risk, right? You potentially are increasing your risk. I think there's, there's a mindset sometimes that let's just outsource it and not have to worry about it. Right. You, you can't really transfer that risk to that vendor.
Right.
You know, in some cases you, you are sort of increasing that risk.
Yeah. Agreed. Agreed. Well, thank you very much for for joining me today, and I hope you have a great rest of your day.
Thank you. Thanks for having me.
Thanks again for joining us on the SecurityMetrics podcast. If you liked what you saw today, remember to like it, subscribe, share it with a friend, and give us comments. Send us an email. We would really like to hear what you have to say about our podcast. I wanna make sure that the people that we're having come talk to me are are people that are of interest to you as well and that the topics hit home on something that you're dealing with. Thanks again.
Thanks for watching. To watch more episodes of SecurityMetrics podcast, click on the box on the left. If you prefer to listen to this podcast, it's available on all your favorite podcast platforms. See you on the slopes.
.svg)