Compliance checklists and attestations only go so far in mitigating cyber risk. They demonstrate a partner’s commitment to cybersecurity awareness however they only capture a snapshot in time. A vendor, contractor or supplier is just one connected device or phishing email away from a security incident. That vulnerability puts your partners, and ultimately you, at risk. Therefore organizations that rely on contracts and agreements to prevent a data breach do so at their own peril. A more hands-on approach is needed. Consider for example a more customer focused mindset in your vendor relations. All too often, vendor communication only occurs at contract renewal time. By contrast, businesses that build strong relationships with their partners make fewer assumptions about cybersecurity preparedness. For starters, conduct quarterly check-ins and discuss current or emerging threats and vulnerabilities. Consider monthly check-ins for larger, more critical vendors. A phone conversation lets organizations address nuances in risk that legal documents cannot. Ultimately, businesses mitigate third party risk when they look beyond checklists to better understand their partners’ security capabilities.
CISO Street recently moderated a CISO panel in Dallas and asked panelists about their perspectives on several cybersecurity issues and trends. In this video, Chris Gathright, CTO at Sentinel IPS, and Eric Ballantyne, Chief Risk Officer and CISO at General Datatech, discuss the challenges behind managing and mitigating third party risk.