TPCRM
November 13, 2024

Going hands-on with third-party collaboration for cybersecurity

It's understandable that the process of onboarding a new vendor or supplier/ strategic ally may feel a bit adversarial at times, as the client often carries out many checks and requests a lot of information. However, permanently keeping the relationship in this state isn't ideal.

Once you start working with a third-party, any weaknesses or issues you find will not be just their problem anymore. Oversight and due diligence remain just as important as they were during procurement, but what you find later in the relationship can also represent a risk to your business because you're evaluating a partnership that already exists.

That's why, when it comes to third-party cyber risk management (TPCRM), there is much to gain by examining our existing suppliers as partners. If you have trustworthy vendors & allies who are willing to work on improving their security controls, you've won half the battle – it's all about helping them achieve that higher standard that they already seek.

Venues for collaboration

Once the decision is made to establish partnerships with third parties, it is essential to explore ways to bring them closer to your organization. 

In this context, in-person meetings and events play a crucial role, offering opportunities to strengthen relationships, align expectations, and foster a more integrated, collaborative environment.

Here at Tenchi, we've been organizing in-person discussions since 2022. The second edition of our Tenchi Conference, the largest third-party cybersecurity conference in Brazil,  was held in São Paulo on November 6.

With this effort, we help our customers and partners by setting up a venue to share ideas and learn from those who have already experienced many challenges in their TPCRM programs.

While your collaboration strategy should be fine-tuned based on your industry and the profile of your supply chain, events have a few advantages that you should keep in mind. Companies with a high number of local vendors, partners or contractors that don't always respond well to other forms of communication are likely to see the most benefit from in-person events, but you can adapt the same idea to online meetings, too.

Especially for more qualified audiences, these gatherings can help keep the participants' attention, and they present an opportunity for them to also talk to each other and share knowledge.

In some industries, in-person events may be one of the few ways to successfully reach out to certain partners. While logic might suggest that cybersecurity should always be "digital," online communication just isn't as compelling for all audiences.

It's precisely for this reason that we're emphasizing this: keeping an open mind and thinking outside the box could be the keys to building effective collaboration channels that, when combined, can make an impact across your whole supply chain.

Who else is doing this?

The European Union Agency for Cybersecurity has a list of several cybersecurity gatherings in Europe targeted at different industries, but there are examples from the private sector too, even if companies often don't realize that it should be part of an overarching strategy. TSMC, a well-known Taiwanese semiconductor manufacturer founded in 1987, hosted their first supply chain security workshop in July.

This is interesting because it suggests that TSMC wants to help vendors employ risk management strategies to their vendors as well, building a chain of collaboration that enhances resiliency across the board for the industry.

Another example we can mention comes from Microsoft, which held its Windows Endpoint Security Ecosystem Summit in September as a reaction to the CrowdStrike outage in July. Microsoft brought together industry partners and regulators to discuss strategies to prevent another similar incident in the future, as many trade-offs could be involved.

Building policy together like this can be a great approach. It minimizes the risk of increasing compliance costs just for doing things slightly differently. In Microsoft's case, the issue is much more complicated, but that is a topic we've already discussed in our newsletter.

In any case, if we cast a wider net, we will see that organizations have been doing this for much longer. There are many outreach events for partners, such as developer conferences, but security contributions are often sidelined. If your organization already hosts an event for suppliers to communicate policy and inform them of other updates, you can leverage these opportunities to improve their cybersecurity posture as well.

Where cybersecurity collaboration matters

After you establish a venue (or more!) for collaboration, here are some ideas for what to cover:

  • Incident response: Incident response scenarios may require cooperation between you and your vendors/suppliers or with different vendors. Make sure everyone is on the same page and can work together in this situation.
  • Handling alerts and issues: Every third-party must fix issues (including those found by Zanshin) in a timely manner. By highlighting the cybersecurity standards you're expecting and how they can be put into practice, your vendors & suppliers  will know what to do when an issue is found.
  • Find common ground to share experiences. Many organizations face similar challenges when it comes to cybersecurity awareness training, cloud adoption, or changes in the software and hardware environment, so even distinct groups may find some common ground to share what they have learned. Sometimes, companies may be unable to properly take care of cybersecurity because they're still grappling with other complications in their IT infrastructure.
  • Tackle current issues. Every year there's a different cybersecurity issue in focus — ransomware, MFA, backups, and security awareness have been some recent examples. Check with your vendors and allies to see if they're also in the same boat, and then organize workshops or exercises that cover the common pitfalls and solutions to these problems.

When you provide value to your third-parties, there's a higher chance you'll be heard. Whenever possible, we should avoid an adversarial relationship with our supply chain. Otherwise, we may find that these third-parties are only concerned about pushing through an audit once a year before going back to business as usual.

Instead, by consistently working to strengthen the cybersecurity posture across the entire supply chain, organizations will gain a deeper understanding of real risks and be better positioned to set achievable goals. This effort should not be limited to an annual cycle. Additionally, through events, we aim to raise awareness and underscore the vital role of ecosystem security as an integral part of business strategies.

To everyone who was present at the Tenchi Conference this year, it was great seeing all of you! We hope our event helped you on your journey to improve your TPCRM program.

Share
Latest Posts
How third-party risk management enhances your approach to systemic risks
Read more
Third-party risk management in finances and banking: a look at current challenges and guidance
Read more
Why sharing third-party cybersecurity evaluations with other companies might not work for your business
Read more