A chain is only as strong as its weakest link. That’s not only true for chains forged from steel, but chains forged with a myriad of vendors — a truth a number of businesses that have suffered data breaches in recent months have painfully discovered.
“With so much at stake in the event of a data breach — lost revenue, significant brand damage, lawsuits, fines — companies need to take a closer look at their third party risk management practices,” said Tom Garrubba, senior director of the Santa Fe Group and the Shared Assessments Program.
Shared Assessments has created a new certification for professionals in enterprise risk management — Certified Third Party Risk Professional (CTPRP) — aimed at boosting the ability of businesses to protect its supply chain from compromises that can lead to data loss or worse. The program was launched in January and two workshops and exams are planned for each quarter this year.
Getting the CTPRP: Risk management certification nuts & bolts
Similar to related certifications like PMI’s Risk Management Professional (PMI-RMP), the new CTPRP certification is more than just an assessment credential. “It’s having a deep understanding of what really constitutes third-party risk,” Garrubba said. “It’s knowing how third-party risk is spread out through an organization, what your third parties have access to and what controls should be in place for handling the privacy and security of that data.”
To qualify for the CTPRP cert, a candidate needs to have a minimum of five years’ experience as a risk management professional and be in a position that demonstrates proficiency in assessment, management and remediation of third party risk issues. In addition to successfully passing the exam, continuing education is needed to ensure certificate holders stay current with changes to regulations, standards and guidelines.
“We have a really good mix of individuals that are going through the program,” Shared Assessment Project Director Katherine Kneeland said. “We have a lot of folks coming from the procurement side and a lot of individuals with auditing and assessment backgrounds and some with vendor governance, risk management, security and legal backgrounds.”
The need to address third-party cyber security risk
The new certification couldn’t have come at a better time.
The U.S. Comptroller of the Currency, which oversees financial institutions, has adopted new rules mandating that at the board level, an organization needs to know who their critical vendors are and what they’re doing to preserve the privacy and security of their data. “A certification program can help drive and provide comfort for organizations that are looking to get a better understanding of what their third-party risk is,” Garrubba said.
Concern over third-party risk reaches beyond financial institutions. A January report from Forrester, which included a survey of 106 IT security and risk management decision makers in the United States, United Kingdom, France and Germany found 79 percent of the respondents said that ensuring business partners and third parties comply with their businesses’ security requirements was a top IT security priority over the next 12 months.
“As concerns around data guardianship, targeted attacks and advanced security threats have risen, so too have the number and significance of various types of third-party relationships, such as those with suppliers and partners,” Forrester reported. “Therefore, more potential vulnerabilities are being exposed at the same time that regulator, customer and business scrutiny of such is reaching an apex.”
Moreover, those priorities are being translated into dollars across various industries. Firms are allocating significant portions of their IT budgets to shore up third-party security. In 2014, for example, enterprises in the four nations covered in the Forrester report allocated 21 percent of their overall IT spending to third parties. For the U.S. alone that amounts to $270 billion annually.
Companies have good reason to be concerned. On average, Forrester estimates, only 29 percent of third-party vendors are compliant with the security requirements of the companies to which they provide goods and services.
Consequences of non-compliance
What’s more, things are likely going to get a lot tougher for companies who don’t comply with rules and best practices for securing data. As of September 2014, the U.S. Congress was considering 112 pieces of legislation addressing privacy and data breaches, and the EU Commission is preparing to significantly tighten data regulations in an update to its 1995 Data Protection Directive.
What regulators and governments are hoping to stop with their new found concern over third-party vulnerabilities is a repeat of the Target fiasco in 2013, where personal and payment card information of more than 110 million customers was stolen, a breach that, the company reported, cost it $162 million.
“The Target breach was pretty transformational,” said Stephen Boyer, CTO and co-founder of BitSight, a company specializing in third-party risk management. “People recognized that a major event through a third-party could have far-reaching impact on an organization and result in a CEO being let go.”
However, no matter how much pressure is applied to businesses to protect the data they share with their supply chain partners, the task continues to grow in enormity. “If you’re a large company, you’re going to have a huge supply chain,” said John Worrall, CMO of
CyberArk, a company that combats insider cyber security threats. “The number of vendors you have to deal with makes it difficult to enforce your security policies.”
“The other thing,” he continued, “is that there is no 100-percent security. Your vendors could do everything right, and it still might not provide you with the security you’d like to have.”
Nevertheless, having people in place with specialized knowledge in third-party risk can only improve what might otherwise be a bleak picture. “It’s great,” Boyer said. “There’s definitely a demand for competent individuals there.”
Interview with Stephen Boyer, CTO and co-founder, BitSight. Conducted by John Mello, February 2015
Interview with John Worrall, Chief Marketing Officer, CyberArk. Conducted by John Mello, February 2015
Interview with Katherine Kneeland, Project Manager, Shared Assessments Program. Conducted by John Mello, February 2015
Interview with Tom Garrubba, Senior Director, Shared Assessments Program. Conducted by John Mello, February 2015
“Continuous Third-Party Security Monitoring Powers Business Objectives and Vendor Accountability,” Forrester/BitSight, March 3, 2015, http://info.bitsighttech.com/continuous-third-party-monitoring-whitepaper?utm_campaign=press&utm_source=press%20release