The Third-Party Risk Questionnaire Equation Doesn’t Add Up: Right Intention, Wrong Execution
Perspectives From A Former CISO/CSO
For my second blog in this series, I wanted to share my thoughts on one of my favorite subjects: third-party risk management (TPRM). More specifically, I’m going to primarily focus on the receiving side of the equation — i.e., responding to and dealing with external inquiries about your organization as a third party. This frequently takes the form of questionnaires that need to be filled out but also includes formal audits, interviews, and the usage of automated risk identification solutions.
The Current State Of Affairs
The ongoing expansion of our risk horizon only makes TPRM more important and equally difficult. Digital transformation, cloud migrations, and leveraging software-as-a-service solutions all feed into this equation. Much of our data rests under the control of other entities, which means we have limited control at best, making TPRM a critical function. The current approaches make responding in a meaningful manner difficult, if not, in many cases, impossible. As Maxwell Smart would say, “Missed it by that much!” Although, if he were speaking about TPRM, he likely would have said, “Missed it by a mile.” I led a peer session several years ago on the then-state of TPRM and thought by now that we clearly would have this figured out. The reality is,however, that we aren’t getting any better at it. In fact, I would argue it’s gotten worse, much worse in some cases.
The Major Challenges
Some of the more significant issues I dealt with over the past 10 years are challenges at best, and some are virtually impossible to overcome with the current state of affairs. Worse yet, many are not mutually exclusive. Consider the following challenges:
- Nonapplicability. Companies rarely take the time to focus questionnaires, audits, and even contracts on what is actually applicable or in scope. Rather, they take a one-size-fits-all approach. This frequently results in overly broad assessments that result in misleading or inaccurate conclusions.
- Bad forms — all of it. Nothing says fun like getting a 500-plus-question document, usually on an unrealistic deadline, that is poorly written and doesn’t allow you to provide meaningful and applicable responses.
- Inability to use out-of-the-box risk identification. Risk identification platforms can be useful, and I have used them previously. In almost every case where a third party produced a report from one of these tools, however, it included everything in our public IP space, which was usually far too broad and irrelevant. As a result, we spent a lot of time explaining why what they were looking at wasn’t applicable.
- The question of who has ultimate control over the response. Sometimes sales, procurement, legal, or another part of the company is responsible for the result. These groups are primarily concerned with getting the response done rather than understanding the nuance of the response. During my tenure as a CISO/CSO, I cannot tell you how many times reasonable common-sense edits were rejected and/or the person you were dealing with had no real vested interest in accuracy and simply was trying to just get it completed. Using a hired firm (a party outside the company) to manage the process and responses only makes matters worse.
So What’s The Answer?
Here’s what we should be focusing on instead of spinning our wheels on what we can’t control.
For those of you who are creating the questionnaires:
- Focus what are you looking for on what’s actually at risk and relevant. Stop trying to fit everything under a one-size-fits-all approach. Another needed change is determining how extensive a review you really need to conduct. There should be a difference between a review versus a full-blown audit versus a certification effort.
- Don’t duplicate what’s already been done. If the solution/product in question has a valid, current, and relevant certification — i.e., PCI, ISO, FedRAMP, HITRUST — why are we asking the same questions about controls, processes, and tooling that are already covered and validated? Asking a reasonable number of relevant questions that aren’t covered by the certification is fine, but we shouldn’t be reinventing the wheel every time.
For those of you who are responding to the questionnaires:
- Get off the dysfunctional hamster wheel. Make available relevant certifications and test results, then have a customer or partner pull/review that information based on what is in scope for the review in question. This also could be beneficial relative to insurance reviews. It’s all the same questions being asked 100 different ways, relentlessly.
- Don’t wait for regulators to save you. We may not have universal risk evaluation standards and formats, but that doesn’t mean we can’t create best practices for how to do this better than we’re doing it now. Create a catalog of comprehensive responses that is consistent and aligned with your audit evidence as much as possible, update as needed, and leverage automation as much as you can to get this information.
Also, make sure that you check out Forrester’s ongoing research on enterprise risk and compliance. As the new executive partner (EP) in security and risk, I am very much looking forward to working with Forrester clients on pressing topics such as today’s topic, TPRM. The EP is a one-to-one partnership with a former executive who has considerable experience in that role, who acts as a sounding board, and who provides ongoing actionable advice to bring to bear Forrester’s full wealth of information and expertise. The client also has full-service access to benchmarking, research, tools, data, and other relevant experts.