RSAC 2022: Experts Call for Major Changes to Third Party Risk Management
Though it was delayed, the 2022 US RSA Conference finally kicked off in June. It was the first time the conference had held an in-person event since February 2020, mere weeks before the world started to lock down in response to COVID-19.
After attending and participating in dozens of talks and discussions about third party risk management (TPRM) at the conference, it was clear that most attendees felt their current third party management practices did little to reduce risk or improve security practices amongst their third parties. An oft-repeated phrase summed it up best: “it’s better than doing nothing, I guess?”
Fortunately, attendees had some strong opinions and results to share on improving TPRM practices.
Too Many Questions: Replace Quantity with Quality
Time and time again, we heard the same refrain: questionnaires are too long. Even SIG Lite isn’t light enough. The vast quantity of questions lowers the completion rate on questionnaires. The ones that do get completed lack accurate, descriptive responses. Experts seem to agree that the sweet spot is 30-50 thoughtful questions. With less questions, it’s easier to follow up and hold third parties accountable.
What kind of questions should we be asking? Here were a few of the suggestions shared by speakers:
- Questions that expose the maturity of SDLC processes
- Ask about metrics the first party actually cares about
- Questions that determine whether critical controls are actually in place and/or working
- Time to recover from major data loss events (e.g. ransomware), and whether this process has actually been tested?
- Time to ‘reboot’ the whole company, and whether this has been tested?
- Use of Chaos Engineering testing and principles
- Measurements of risk and maturity velocity (many TPRM programs introduce a minimum ‘bar’, but don’t push third parties to continually improve over time)
- Can you share an accurate data flow diagram that shows what happens to our data on your systems?
Some other interesting insights:
- One speaker said they saw the average time to complete self-assessment questionnaires drop from 113 days to 18 after reducing the number of questions, but improving the quality of each question retained.
- One company required GRC team members to first spend significant time on the blue team (IR, SecOps, SOC) gaining technical skills before they could join the GRC team. They felt technical security experience was essential for GRC.
- Increased cloud use was generally found to reduce risk when used correctly (e.g. more ephemeral assets), but this was difficult to signal through traditional TPRM processes. Questionnaires don’t ask the right questions, current tools don’t gather the right data.
- Legal teams should be more involved with TPRM and third party security requirements
- A need to identify and address specific supply chain concerns, like open source libraries and dependencies
- Need the ability to ask a single compliance question to all third parties (e.g. “what’s your Log4J remediation status?”)
MITRE’s System of Trust Framework
Robert Martin’s talk on MITRE’s System of Trust (SoT) framework was interesting and ambitious. This framework is still young and unfinished, but is the result of several years of work and dozens of pilots, thanks to volunteer organizations. Bob described this effort as an attempt to establish generally accepted principles for supply chain.
It is important to note that this framework isn’t designed specifically for software or technology. It is designed to establish a basis of trust and common taxonomy for supply chain in general, whether the focus is CRM software, sushi grade tuna, or lithium for batteries. The assessment is questionnaire-based and can be managed via the Risk Model Manager web application.
Some notable points from the talk:
- SoT accounts for ‘show stoppers’ – critical findings are always highly visible, regardless of the number of overall findings (a concept familiar in the vulnerability management world also)
- Partial mapping to the TIA 9001 standard
- SBOM should exist at every step of the SDLC, not just at one point
- SoT could potentially provide a standard way for folks to share what they’re working on, rather than filling out hundreds or thousands of proprietary self-assessment questionnaires
Conclusions
We’ll be following these trends in the TPRM market closely and will have some further thoughts of our own to share in the near future – watch this space!
Written by Adrian Sanabria