As a new CISO, even as an established CISO, you will always have to review and keep current your 3rd party & vendor risk assessments. These 3rd parties must offer a critical component to your organization, otherwise why do they exist? Remember, as a CISO it your job to act as the enabler of strategic objectives.
We have established the need (enabler of strategy), so how do we ensure the risk presented by 3rd parties is enumerated and considered prior to making decisions? You should read these questions aloud and consider deeply the potential impacts then write them down!
1. Consider the service and/or operational risk. How does this 3rd party impact your business operations or services? Where do they “tie in” to your org? What happens if they sustain a 100% loss of operation? 50%?
2. Consider the reputational risk. There are multiple facets to this risk lens, but the two major facets are A) if this vendor is the source of a security incident (availability included) what impact on your org’s reputation will it have and B) what is the risk of being publicly partnered with this organization? Some organizations have bad reputations, knowing this ahead of time can save you heartache later…
3. Security & Compliance risk. Is this vendor able to provide you documented security processes and procedures? Do they have a security program? Is it tested? Did it work? Ask foundational questions and build up. What about their ability to deliver a compliant solution? Think of things like SOC2, HIPPA, HITRUST, GLBA & PCI.
There are other considerations, like financial & revenue risks which are just as important but often take a lower priority because of the amount of risk presented in the three categories above. If you find this helpful let me know by giving this a thumbs up or a comment below.