Cybersecurity In-Depth: Getting answers to questions about IT security threats and best practices from trusted cybersecurity professionals and industry experts.

Any Advice for Assessing Third-Party Risk?

Here are five tips about what <i>not</i> to do when assessing the cyber-risk introduced by a third-party supplier.

Joshua Goldfarb, Field CISO

September 17, 2019

1 Min Read
Dark Reading logo in a gray background | Dark Reading

Question: What are some important points to consider when looking to improve my third-party risk assessment function?

Josh Goldfarb, independent consultant: Most businesses work closely with and rely on third parties, suppliers, and vendors to help them accomplish their business objectives — but while third parties can provide many benefits to a business, they can also introduce risk.

So it’s important to holistically assess your third-party risk regularly. You should begin by prioritizing your risks and tailoring your third-party risk assessments accordingly. 

Here are a few things you should not do: 

  • Don't be afraid to have multiple questionnaires: Assign risk assessment questionnaires to each party based upon the size, type, criticality, and data sensitivity for each vendor.

  • Don't trust the answers you get: Leverage technology to verify and validate responses and to check that required controls are actually in place.

  • Don't end the process at the assessment phase: Build a work program for each vendor to bring them in line with your expectations.

  • Don't forget to measure: Each assessment should result in a tangible risk score that you can use to assess your exposure across individual vendors, various different segments of the supply chain, and the supply chain as a whole.

  • Don't stagnate: Remember to continually review your third-party risk assessment function amid evolving priorities, identify weak spots, and work to strengthen and improve them.

What do you advise? Let us know in the Comments section, below.

Do you have questions you'd like answered? Send them to [email protected].

 

About the Author

Joshua Goldfarb

Field CISO, F5

Josh Goldfarb is currently Field CISO at F5. Previously, Josh served as VP and CTO of Emerging Technologies at FireEye and as Chief Security Officer for nPulse Technologies until its acquisition by FireEye. Prior to joining nPulse, Josh worked as an independent consultant, applying his analytical methodology to help enterprises build and enhance their network traffic analysis, security operations, and incident response capabilities to improve their information security postures. Earlier in his career, Josh served as the Chief of Analysis for the United States Computer Emergency Readiness Team, where he built from the ground up and subsequently ran the network, endpoint, and malware analysis/forensics capabilities for US-CERT. In addition to Josh's blogging and public speaking appearances, he is also a regular contributor to Dark Reading and SecurityWeek.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights