How Third-Party Risk Management Benefits Government Agencies
By Zane Pokorny on March 1, 2019
A theme we been exploring lately is the double-edged sword of digital transformation. Yes, the phrase “digital transformation” is a buzz-phrase, and as such threatens to cause the eyes of a non-zero number of readers to glaze over.
But the concepts and trends encompassed within that phrase are inarguably happening across industries. Organizations are increasingly relying on digital solutions to gather, analyze, store, and distribute critical information, and those processes are becoming increasingly interconnected between organizations and their partners, suppliers, customers, and other third parties.
It’s a double-edged sword because while it is making many critical operations vastly easier and more efficient, this interconnectedness also greatly broadens the attack surface of any one organization. For better or worse, we’re all in this together.
The management of interconnected systems and processes is, in a very abstract sense, the definition of government — politics, after all, is a word that comes from the Greek word polis, the archetypal city-state functioning as one interconnected whole. And the risks posed by digital transformation are highly relevant to government institutions, which are not only closely interconnected, but also manage highly sensitive information, whether it’s classified intelligence or simply the personally identifiable information (PII) of its citizens.
Here, we’ll take a look at why effective risk management is essential for government agencies, the recommendations for risk management made by the National Institute of Standards and Technology (NIST), and how threat intelligence directly addresses many of the challenges of risk management and the recommendations made by NIST.
NIST’s Risk Management Framework
The recommendations made by NIST for managing third-party risk are summarized in their Risk Management Framework (RMF), which provides a “structured approach for managing risk” based on identifying and implementing the right information systems, security controls, and processes to support the proper functioning of government agencies.
It’s a six-step process:
- Categorize the information to be protected
- Select the minimum baseline controls
- Implement security controls
- Assess the effectiveness of those controls
- Authorize the information system for processing
- Monitor the security controls
The RMF emphasizes the following qualities:
- It promotes the concept of near real-time risk management and ongoing information system authorization through the implementation of robust continuous monitoring processes.
- It encourages the use of automation to provide senior leaders the necessary information to make cost-effective, risk-based decisions.
- It integrates information security into the enterprise architecture and system development life cycle.
- It provides emphasis on the selection, implementation, assessment, and monitoring of security controls, as well as the authorization of information systems.
- It establishes responsibility and accountability for security controls deployed within organizational information systems.
NIST’s Best Practices for Managing Supply Chains
Returning to the theme of the deeply interconnected nature of information systems, supply chains, and security operations today, NIST points out that “information and operational technology (IT and OT) relies on a complex, globally distributed, and interconnected supply chain ecosystem to provide highly refined, cost-effective, and reusable solutions.”
This interconnected system also increases risk. Here’s NIST again:
NIST outlines some core recommendations to follow when managing risk in a cyber supply chain. The problem should be considered in the context of three categories: risk, threats and vulnerabilities, and critical systems.
- Risk: Third-party risk comes about because organizations don’t necessarily know what’s going on behind the doors of their partners, suppliers, and so on. Without visibility into the “development, acquisition, and delivery” of the products and services they use, organizations cannot be sure that security standards are being upheld throughout the supply chain.
- Threats and Vulnerabilities: Effectively managing third-party risk heavily depends on having a map of the threat landscape — that means knowing what threats and vulnerabilities are out there and which represent the greatest priorities. NIST categorizes threats as either “adversarial,” which encompasses malicious efforts like tampering or counterfeits in the supply chain, or “non-adversarial,” which includes issues like poor standards of quality or natural disasters disrupting the supply chain. Vulnerabilities are categorized by NIST as either “internal” — vulnerabilities affecting systems within the organization’s network — or “external.”
- Critical Systems: Finally, NIST notes that mitigating third-party risks cost-effectively requires organizations to prioritize their efforts around criticality. That is, they must identify which systems are the most vulnerable and “will cause the greatest organizational impact if compromised.”
Threat Intelligence Addresses the Challenges of Third-Party Risk
Fortunately, threat intelligence provides the context needed to accurately evaluate each of those three categories.
As mentioned above, evaluating third-party risk requires “visibility.” Without independently created threat intelligence, organizations really have very little visibility into the security of the third parties they work with, which may themselves have less stringent security standards or lack visibility into their own threat landscape.
The context provided by threat intelligence also allows organizations to effectively prioritize vulnerabilities by the actual risks they present, helping them determine which of their systems are critical. Many vulnerabilities are never actually exploited — knowing which alerts to prioritize and which to safely ignore can be a massive timesaver for many security functions.
Returning to the first two characteristics of the RMF that NIST laid out previously, the right threat intelligence solution can effectively address each one.
1. It promotes the concept of near real-time risk management and ongoing information system authorization through the implementation of robust continuous monitoring processes.
Threat intelligence that updates in real time and is derived from a wide variety of sources helps organizations go beyond traditional, static measurements of risk. Real-time threat intelligence helps all security functions — whether it’s security operations, vulnerability management, fraud prevention, or another function — stay on top of the threat landscape. This is especially critical when managing third-party risk because the continuous monitoring of third parties is not otherwise possible in the same way it is for internal security through the use of solutions like SOAR platforms. Real-time threat intelligence helps security teams identify threats 10 times faster, on average, and resolve them 63 percent quicker, according to one IDC study.
2. It encourages the use of automation to provide senior leaders the necessary information to make cost-effective, risk-based decisions.
It’s no secret that security staffers are overworked. Partly because cybersecurity has so rapidly grown to become a pressing issue across industries and sectors, the demand far outstrips the supply. Automation is one of the key ways to overcome this challenge — by automating the collection, processing, and analysis of threat data, analysts and researchers are able to focus on turning that information into real, actionable intelligence. And it’s that intelligence that helps senior leaders make broader, strategic decisions and save time and money — that same IDC study found that threat intelligence helps staff spend 34 percent less time compiling reports, and organizations saw a 284 percent return on investment after three years.
For more information about how threat intelligence helps manage third-party risk, download your complimentary copy of a new report from ESG, “Third-Party Risk: Why Real-Time Threat Intelligence Matters.”