“Sharing is caring!” We all heard this phrase growing up and in today’s information security world it still proves to be fundamentally true. I’ve spent the past six years working with companies to influence their third-party risk management program, and encourage the adoption of an economic approach. As a practitioner, I test techniques to help companies mature their program to meet regulatory compliance requirements. As an advisor, I assess company programs to help organizations step away from processes that prevent them from re-using relevant standard content and design custom evolutionary approaches – all in the spirit of expediting risk awareness for resiliency. Yet still, the concept of information sharing keeps me up at night…
How third-party risk information sharing is evolving
Collectively, industries across the globe are working towards what I call ‘stop the questionnaire pandemonium’ by way of implementing profile-type content gathering. There has been a shift from gathering information about all of a vendor’s operations, to the collection of meaningful content, relevant to the service being provided. At the most mature state we have observed a trend towards simply collecting content specific to key or must have controls. We mustn’t forget that the three most critical aspects to support all risk frameworks and meet regulatory requirements such as NIST, ISO, FAIR, and others is to;
1) Know your companies’ key controls,
2) Share standardized content and artifacts,
3) Identify and track risk closure to better understand risk tolerance.
Seems simple, right? Not always but it can be.
How the Shared Assessments content library can help
The Shared Assessments content library toolset (notice I didn’t refer to a questionnaire) has significantly become the most flexible and reusable content library of information on the planet. The content library literally can be right-sized by profiling to ensure that information collected is relevant for risk management. Furthermore, the sharing of content yields machine learning opportunities to address the top vulnerable security controls. Implementing a standardized content library approach removes delay and waste from the collection of content and artifacts, making room for risk management. Storing your information security content and associated artifacts in a shareable network will stop the pandemonium, opening opportunities to reduce risk, and face resiliency head on.
To learn more about the best practices to finding greater assurance in your third-party business relationships, join me next week at the 12th Annual Shared Assessment Summit in Arlington, Virginia. I’ll be leading a panel discussion on Risk Framework and Risk Appetite and co-teaching a four-hour workshop session on Cybersecurity and Continuous Monitoring featuring an audience participation third-party risk scenario table-top exercise, among other experts.
If you happen to be at the Summit, please stop by and see me at the Prevalent booth; I’d be happy to share my experiences with you!
For any questions regarding Prevalent, contact us today.
New flexible options to accommodate the required level of vendor oversight