Improving Third-Party Incident Response Starts with a Solid Incident Management Foundation

Focus on preparation, communication, and lessons learned to be better prepared for the next vendor breach or supply chain disruption.
Bob Wilkinson
CEO, Cyber Marathon Solutions
May 02, 2022
Blog third party incident response management 0522

Third-party incident response is the process used to identify, investigate, and react to data breaches, natural disasters, or other external adverse events affecting an organization via its vendors or other business partners. The goal of third-party incident response is to maintain operations – or at least quickly recover – when business disruptions occur in a vendor ecosystem or supply chain; in other words, to maintain operational resilience.

Incident Response vs. Incident Management

The terms incident response and incident management are often confused or used interchangeably. Many authorities, like the UK National Cyber Security Centre, define incident response as a subset of incident management. In this view, incident response is more focused on the technical aspects of an event, including triage, analysis, mitigation, remediation and recovery. Incident management is a more holistic program that wraps incident response with broader preparations, communications, and reporting processes.

Incident Management as the Foundation of Incident Response

The incident management (IM) process can be broken down into the following steps, based on the National Institute of Standards and Technology (NIST) Computer Security Incident Handling Guide, SP 800-61:

  • Incident Management Process Preparation
  • Incident Detection, Communication and Reporting Procedures
  • Incident Triage and Analysis
  • Incident Containment and Recovery
  • Post-incident Follow-ups, Including Lessons Learned

When it comes to vendor breaches, protected data exposures, supply chain disruptions, or other events, most organizations focus on reactive activities like incident prioritization, root cause analysis, containment, and recovery (i.e., incident response). However, I’ve found that the areas of IM that focus on preparation, communication, and lessons learned are where organizations can improve their incident readiness the most.

The Six Phases of Successful Third-Party Incident Management

Join Bob Wilkinson, CEO of Cyber Marathon Solutions and former EVP and Chief Strategy Officer of the Shared Assessments Program, as he examines the six phases of successful third-party incident management.

Three Incident Management Processes to Improve

1. Process Preparation

To implement an effective incident management process, you have to first identify and assign responsibilities to the correct stakeholders – both within your organization and across your extended supply chain.

Performing tabletop exercises, where incidents are simulated to familiarize all stakeholders with the IM process and their roles and responsibilities, ensures that necessary resources and capabilities will be available when needed. This, along with periodic testing of your procedures and validation of your contact lists, gives you confidence in your ability to respond, when – not if – it is required.

2. Detection, Communication and Reporting Procedures

Cyber intelligence helps your organization prevent incidents from occurring by continuously monitoring for actual events and signals of possible future events. Detection processes ensure you find and act upon potential incidents in a timely manner, limiting potential exposures and damage.

As part of this process, you need to inform key stakeholders, including based on incident severity, your senior management and Board of Directors, along with any regulatory bodies. Doing so is critical to operational resilience and avoidance of negative reputation, financial and regulatory impacts. Communication therefore plays a vital role in your IM process, both to remediate the effects of an incident and to keep key internal and external stakeholders informed, and results in quicker incident resolution.

3. Post-Incident Follow-ups, Including Lessons Learned

Learning from what went right and wrong is another important aspect of the incident management process. By examining what led to an incident in your organization or supply chain, you can ensure that mistakes aren’t repeated, and reinforce risk management for any subsequent incidents that may occur. Follow-through is key to verifying that corrective actions and program enhancements are properly implemented.

9 Steps to a Third-Party Incident Response Plan

When one of your critical vendors is breached, being ready with a prescriptive incident response plan is essential to preventing your company from becoming the next victim.

Read Now
White paper incident response 0421

Why Incident Management Is Important in Third-Party Risk Management

Effective incident management and third-party risk management (TPRM) go hand-in-hand. Identifying your third, fourth and Nth parties enables effective incident management, given that as many as half of all incidents originate with vendors.

Third-party and subcontractor contracts need to include IM/breach notification requirements within a fixed (usually 24-hour, but as soon as practical) timeframe after a major incident is identified. Validation of your third-party IM processes and contacts, along with periodic testing, including phone call trees, ensures operational readiness to respond to and resolve incidents.

Resources for Effective Incident Management

Third-party incidents can disrupt your ability to deliver products and services to your customers. While having an incident response plan is key to mitigating disruptions in the heat of the moment, improving your organization’s broader incident management systems and processes will help you be better prepared for when incidents do occur.

Here are some additional resources that you can use to benchmark and improve your incident management program:

Bob wilkinson
Bob Wilkinson
CEO, Cyber Marathon Solutions

Bob Wilkinson is the CEO and founder of Cyber Marathon Solutions, a cyber security and third-party risk management consulting company. He has over 30 years of progressive experience developing and implementing enterprise operational risk management solutions focusing on Operations and Technology for global companies and clients. In his last position, Robert worked as a CIO and CISO for a Global Systemically Important Bank (G-SIB). Robert serves on the Shared Assessments Program’s External Advisory Board and is a previous chairman of the Shared Assessments Program. He also serves as an Avasant distinguished fellow, co-leading Avasant’s cybersecurity practice.

  • Ready for a demo?
  • Schedule a free personalized solution demonstration to see if Prevalent is a fit for you.
  • Request a Demo