Top Digital Transformation and DevOps Influencer

Jason Bloomberg

Subscribe to Jason Bloomberg: eMailAlertsEmail Alerts
Get Jason Bloomberg via: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn

Blog Feed Post

Third Party Risk: Expanding the Cybersecurity Threat Surface

Third party risk has long been an important concern for Governance, Risk, and Compliance (GRC) executives. After all, every company depends upon a vast ecosystem of partners, suppliers, contractors, and other third parties for the day-to-day operation of its business. Any one of them might present a risk to the organization.

Such risks are both varied and complex. Strategic risk results from adverse business decisions. Operational risk is the risk of loss from failed processes, technology, or people. Reputation risk arises from negative public opinion. Transaction risk comes from problems with products and services. Credit risk is due to third parties not paying their bills on time. And lest we forget, compliance risk is the risk arising from not following laws, rules, or regulations.

Any of these risks may involve third parties – and in fact, third parties exacerbate any organization’s risk profile, as they are outside the control of the organization.

The GRC Context for Cybersecurity Risk

When the interactions with a third party are electronic – and in today’s digital business climate, most of them are – then cybersecurity risk becomes part of the GRC challenge as well.

However, cybersecurity risk isn’t a risk category separate from the ones listed above. In fact, all of the third party risks on our list might be cybersecurity risks, especially as organizations proceed with their digital transformation efforts.

The result: third party risks expand every organization’s cybersecurity threat surface. A threat surface consists of all the different points or the ‘attack vectors’ where an attacker can attempt to penetrate or exfiltrate data from an environment.

Don’t let the word surface fool you, however. The term dates from the days when organizations relied on their firewall-based perimeters for security – as though they could put a bubble around their companies, deflecting attacks at its surface.

Today, third party risks have popped the bubble for good, as the threat surface is now varied, complex, and dynamic. In fact, third parties have extended the threat surface in three fundamental ways:

  • Targeting less secure, ostensibly low-risk parts of the network. The notorious 2013 attack on retailer Target brought this attack vector into the public consciousness, when a hacker compromised a heating and cooling contractor’s system and then moved laterally within Target’s network in order to exfiltrate valuable data.
  • Exploiting the value chain. Transactions with both suppliers as well as customers in both B2B and B2C contexts are increasingly electronic. Furthermore, in some industries, relationships along this value chain are becoming increasingly intimate. For example, vendor-managed inventory in retail puts suppliers in privileged roles on internal retail store networks.
  • Poking holes in the digital ecosystem. If you view the source of any corporate home page – especially those of transactional, B2C companies – you’ll find dozens of third party widgets, tags, plug-ins, and ads. All an attacker needs to do to compromise the main site is to find a weakness in one of these ecosystem add-ins.

Clearly, the only way to manage third party risk overall is to manage this modern threat surface. And yet, earlier generation cybersecurity tools that presume that the organization stops at the corporate perimeter are simply ineffective.

LookingGlass Cyber Solutions offers a next-generation threat intelligence, mitigation, and prevention solution that the vendor has built from the ground up to deal with third party and enterprise risk.

To accomplish this difficult task, LookingGlass leverages big data approaches to collecting and analyzing vast quantities of threat-related information in real-time. This analysis then feeds its threat response capabilities and threat intelligence services.

The Intellyx Take

Expanding cybersecurity threat detection and mitigation to third party attack vectors reduces more than cybersecurity risk – it reduces third party risk overall.

In today’s increasingly digital business environment, the distinctions between the more technical conversation of cybersecurity and the business-oriented GRC discussions are becoming blurred.

For example, New York State’s new cybersecurity regulations – formally known as Cybersecurity Requirements for Financial Services Companies (23 NYCRR Part 500) – requires a wide range of different types of financial services firms to tighten their cybersecurity practices.

This regulation went into effect on March 1, 2017, immediately impacting New York-centric industries like banking and equities markets, but in fact, driving increased cybersecurity efforts for any company doing business in the state.

This regulation focuses in large part on third party risk, and brings the worlds of cybersecurity and GRC together into a single business context.

The bottom line: third party risks have transformed cybersecurity risk, and mitigating such risks aren’t simply the domain of the CISO anymore. The entire C-suite must now take notice – and take action.

Copyright © Intellyx LLC. LookingGlass Cyber Solutions is an Intellyx client. At the time of writing, none of the other organizations mentioned in this article are Intellyx clients. Intellyx retains full editorial control over the content of this paper. Image credit: LookingGlass Cyber Solutions.

Read the original blog entry...

More Stories By Jason Bloomberg

Jason Bloomberg is a leading IT industry analyst, Forbes contributor, keynote speaker, and globally recognized expert on multiple disruptive trends in enterprise technology and digital transformation. He is ranked #5 on Onalytica’s list of top Digital Transformation influencers for 2018 and #15 on Jax’s list of top DevOps influencers for 2017, the only person to appear on both lists.

As founder and president of Agile Digital Transformation analyst firm Intellyx, he advises, writes, and speaks on a diverse set of topics, including digital transformation, artificial intelligence, cloud computing, devops, big data/analytics, cybersecurity, blockchain/bitcoin/cryptocurrency, no-code/low-code platforms and tools, organizational transformation, internet of things, enterprise architecture, SD-WAN/SDX, mainframes, hybrid IT, and legacy transformation, among other topics.

Mr. Bloomberg’s articles in Forbes are often viewed by more than 100,000 readers. During his career, he has published over 1,200 articles (over 200 for Forbes alone), spoken at over 400 conferences and webinars, and he has been quoted in the press and blogosphere over 2,000 times.

Mr. Bloomberg is the author or coauthor of four books: The Agile Architecture Revolution (Wiley, 2013), Service Orient or Be Doomed! How Service Orientation Will Change Your Business (Wiley, 2006), XML and Web Services Unleashed (SAMS Publishing, 2002), and Web Page Scripting Techniques (Hayden Books, 1996). His next book, Agile Digital Transformation, is due within the next year.

At SOA-focused industry analyst firm ZapThink from 2001 to 2013, Mr. Bloomberg created and delivered the Licensed ZapThink Architect (LZA) Service-Oriented Architecture (SOA) course and associated credential, certifying over 1,700 professionals worldwide. He is one of the original Managing Partners of ZapThink LLC, which was acquired by Dovel Technologies in 2011.

Prior to ZapThink, Mr. Bloomberg built a diverse background in eBusiness technology management and industry analysis, including serving as a senior analyst in IDC’s eBusiness Advisory group, as well as holding eBusiness management positions at USWeb/CKS (later marchFIRST) and WaveBend Solutions (now Hitachi Consulting), and several software and web development positions.