From the Author of The Agile Architecture Revolution

Jason Bloomberg

Subscribe to Jason Bloomberg: eMailAlertsEmail Alerts
Get Jason Bloomberg via: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn

Blog Feed Post

Third Party Risk: Expanding the Cybersecurity Threat Surface

Third party risk has long been an important concern for Governance, Risk, and Compliance (GRC) executives. After all, every company depends upon a vast ecosystem of partners, suppliers, contractors, and other third parties for the day-to-day operation of its business. Any one of them might present a risk to the organization.

Such risks are both varied and complex. Strategic risk results from adverse business decisions. Operational risk is the risk of loss from failed processes, technology, or people. Reputation risk arises from negative public opinion. Transaction risk comes from problems with products and services. Credit risk is due to third parties not paying their bills on time. And lest we forget, compliance risk is the risk arising from not following laws, rules, or regulations.

Any of these risks may involve third parties – and in fact, third parties exacerbate any organization’s risk profile, as they are outside the control of the organization.

The GRC Context for Cybersecurity Risk

When the interactions with a third party are electronic – and in today’s digital business climate, most of them are – then cybersecurity risk becomes part of the GRC challenge as well.

However, cybersecurity risk isn’t a risk category separate from the ones listed above. In fact, all of the third party risks on our list might be cybersecurity risks, especially as organizations proceed with their digital transformation efforts.

The result: third party risks expand every organization’s cybersecurity threat surface. A threat surface consists of all the different points or the ‘attack vectors’ where an attacker can attempt to penetrate or exfiltrate data from an environment.

Don’t let the word surface fool you, however. The term dates from the days when organizations relied on their firewall-based perimeters for security – as though they could put a bubble around their companies, deflecting attacks at its surface.

Today, third party risks have popped the bubble for good, as the threat surface is now varied, complex, and dynamic. In fact, third parties have extended the threat surface in three fundamental ways:

  • Targeting less secure, ostensibly low-risk parts of the network. The notorious 2013 attack on retailer Target brought this attack vector into the public consciousness, when a hacker compromised a heating and cooling contractor’s system and then moved laterally within Target’s network in order to exfiltrate valuable data.
  • Exploiting the value chain. Transactions with both suppliers as well as customers in both B2B and B2C contexts are increasingly electronic. Furthermore, in some industries, relationships along this value chain are becoming increasingly intimate. For example, vendor-managed inventory in retail puts suppliers in privileged roles on internal retail store networks.
  • Poking holes in the digital ecosystem. If you view the source of any corporate home page – especially those of transactional, B2C companies – you’ll find dozens of third party widgets, tags, plug-ins, and ads. All an attacker needs to do to compromise the main site is to find a weakness in one of these ecosystem add-ins.

Clearly, the only way to manage third party risk overall is to manage this modern threat surface. And yet, earlier generation cybersecurity tools that presume that the organization stops at the corporate perimeter are simply ineffective.

LookingGlass Cyber Solutions offers a next-generation threat intelligence, mitigation, and prevention solution that the vendor has built from the ground up to deal with third party and enterprise risk.

To accomplish this difficult task, LookingGlass leverages big data approaches to collecting and analyzing vast quantities of threat-related information in real-time. This analysis then feeds its threat response capabilities and threat intelligence services.

The Intellyx Take

Expanding cybersecurity threat detection and mitigation to third party attack vectors reduces more than cybersecurity risk – it reduces third party risk overall.

In today’s increasingly digital business environment, the distinctions between the more technical conversation of cybersecurity and the business-oriented GRC discussions are becoming blurred.

For example, New York State’s new cybersecurity regulations – formally known as Cybersecurity Requirements for Financial Services Companies (23 NYCRR Part 500) – requires a wide range of different types of financial services firms to tighten their cybersecurity practices.

This regulation went into effect on March 1, 2017, immediately impacting New York-centric industries like banking and equities markets, but in fact, driving increased cybersecurity efforts for any company doing business in the state.

This regulation focuses in large part on third party risk, and brings the worlds of cybersecurity and GRC together into a single business context.

The bottom line: third party risks have transformed cybersecurity risk, and mitigating such risks aren’t simply the domain of the CISO anymore. The entire C-suite must now take notice – and take action.

Copyright © Intellyx LLC. LookingGlass Cyber Solutions is an Intellyx client. At the time of writing, none of the other organizations mentioned in this article are Intellyx clients. Intellyx retains full editorial control over the content of this paper. Image credit: LookingGlass Cyber Solutions.

Read the original blog entry...

More Stories By Jason Bloomberg

Jason Bloomberg is the leading expert on architecting agility for the enterprise. As president of Intellyx, Mr. Bloomberg brings his years of thought leadership in the areas of Cloud Computing, Enterprise Architecture, and Service-Oriented Architecture to a global clientele of business executives, architects, software vendors, and Cloud service providers looking to achieve technology-enabled business agility across their organizations and for their customers. His latest book, The Agile Architecture Revolution (John Wiley & Sons, 2013), sets the stage for Mr. Bloomberg’s groundbreaking Agile Architecture vision.

Mr. Bloomberg is perhaps best known for his twelve years at ZapThink, where he created and delivered the Licensed ZapThink Architect (LZA) SOA course and associated credential, certifying over 1,700 professionals worldwide. He is one of the original Managing Partners of ZapThink LLC, the leading SOA advisory and analysis firm, which was acquired by Dovel Technologies in 2011. He now runs the successor to the LZA program, the Bloomberg Agile Architecture Course, around the world.

Mr. Bloomberg is a frequent conference speaker and prolific writer. He has published over 500 articles, spoken at over 300 conferences, Webinars, and other events, and has been quoted in the press over 1,400 times as the leading expert on agile approaches to architecture in the enterprise.

Mr. Bloomberg’s previous book, Service Orient or Be Doomed! How Service Orientation Will Change Your Business (John Wiley & Sons, 2006, coauthored with Ron Schmelzer), is recognized as the leading business book on Service Orientation. He also co-authored the books XML and Web Services Unleashed (SAMS Publishing, 2002), and Web Page Scripting Techniques (Hayden Books, 1996).

Prior to ZapThink, Mr. Bloomberg built a diverse background in eBusiness technology management and industry analysis, including serving as a senior analyst in IDC’s eBusiness Advisory group, as well as holding eBusiness management positions at USWeb/CKS (later marchFIRST) and WaveBend Solutions (now Hitachi Consulting).