Cybersecurity and Third-Party Risk. Gregory C. Rasner

Cybersecurity and Third-Party Risk - Gregory C. Rasner


Скачать книгу
indicating that the demand vastly outstrips the supply of certificate holders of CISSP.

      Within infosec, they have developed clear subdomains (citing the CISSP 8 domains):

       Security and Risk Management

       Asset Security

       Security Architecture and Engineering

       Communications and Network Security

       Identity and Access Management

       Security Assessment and Testing

       Security Operations

       Software Development Security

      Further subdomains can be found within these cybersecurity domains. For example, let's look at the Security and Risk Management domain:

       Security and Risk Management Domain: It comprises 15 percent of the CISSP exam and is the largest domain found in CISSP. The latest editions of the study guides for this exam detail the following:The Confidentiality, Integrity and Availability of informationSecurity governance principlesCompliance requirementsLegal and regulatory issues relating to information securityIT policies and proceduresRisk‐based management concepts

      However, this is not the responsibility of the CISSP body of knowledge or necessarily any other cybersecurity certification. These guides are designed to give frameworks and a library of information that the cybersecurity profession can then use to manage the risk. Hundreds of specialties and job roles exist in cybersecurity and except for job‐specific certifications, the study guides and exams are not prescribing how cyber organizations run their operations and programs. In this case, the cybersecurity industry has been largely focused on securing internal networks. TPRM professionals have spent the last 10 years growing their profession. The gap has been widening over time, but the COVID‐19 pandemic made the problem more pronounced. The approach for this domain must evolve into a field of its own, mimicking cybersecurity operations more than cyber Governance, Risk and Compliance (GRC).

      Business or Technology Risk and Cybersecurity Risk

      Many companies of larger size have departments or groups that are designed to manage and report risk for the whole company. These teams are very important as centralized groups for risk management at big organizations. Often, these teams perform the process and compliance work for third‐party risk, including the cybersecurity domain.

      While these professionals are trained and certified in how to evaluate risk within an organization, the issue of evaluating cybersecurity risk produces better results when performed by trained and certified cybersecurity professionals. The cybersecurity domain is very complex, as illustrated in the section titled “Cybersecurity and Third‐Party Risk.” Even within the field, there are numerous specialty fields and certifications along with a fast‐changing environment. Expecting a generalist risk professional to opine on controls for information security topics might produce adequate, but not necessarily accurate, data.

      In cases where a risk organization consists of general risk professionals who don't have the specialty training and experience of cybersecurity professionals, it is optimal if these professionals, like the TPRM team, collaborate with the cybersecurity teams at their company for that level of expertise.

      Cybersecurity Third‐Party Risk as a Force Multiplier

      As understood, the cybersecurity field is complex and full of certifications, specialties, technical details, and domains. This complexity can be simplified for a TPRM team when a specialized team of cybersecurity professionals are able to execute on an active threat hunting mentality in reference to third parties. The whole TPRM and business risk teams do not have to be experts in information security, but they can use the force multiplier effect of a few good cybersecurity special forces. These special forces are trained to monitor security controls at vendors, to ensure that enemy forces are reined in by contractual obligations, to constantly watch for new threats, and to partner with vendors to train their local forces to better fight the enemy directly. The collaboration and teamwork between the cyber and TPRM professionals continually sharing and updating reference documents multiplies the strengths of both teams.

      The earlier statistic that stated the average company is connected with 600 vendors with PII becomes the exponential part. As more companies adopt a cybersecurity and third‐party risk approach and are able to partner with these vendors, across multiple industries, we get real security change across all the third parties. It's a simple math equation: It becomes a multiplier for better corporate information security across the globe.

      The evidence of the risk exists: At the end of 2020, in one month there were three nation‐state APT attacks that exploited weaknesses in supply chain cybersecurity. Two of them were aimed at two countries: Mongolia and Vietnam. The damage and scope of the SolarWinds Orion exploit is not yet known as more victims are being uncovered, but it does include big names in technology and major government systems globally. The advanced persistent actors (i.e., hackers) are clearly targeting and weaponizing the supply chain. They have discovered that third‐party cybersecurity is the


Скачать книгу