Episode 3: Third-party Risk Management – Beyond the Questionnaire

Resources:

• Find us at https://www.cisecurity.org/
• Third-party Risk Association: https://www.tprassociation.org/
• National Institute of Standards and Technology (NIST): https://www.nist.gov/
• CIS Controls: https://www.cisecurity.org/controls/

Can a risk assessment questionnaire be the catalyst for true change to the entire vendor cybersecurity ecosystem? Cybersecurity Where You Are podcast host Sean Atkinson welcomes guest Ryan Spelman, former CIS employee, and now Managing Director at Duff & Phelps on their CYBERCLARITY360 team. Together, Sean and Ryan discuss tactics companies can use to better understand their cyber-risk posture and how stronger relationships between companies and their third parties impact the industry as a whole.

Better use of the third-party risk assessment questionnaire

The go-to “third-party risk assessment questionnaire” being used as a one-and-done exercise is an all too common practice. While completing these questionnaires meets certain regulatory requirements, truly managing risk is about acting on the data collected - not just collecting it.

There is a misconception that the questionnaire is for general information collection and that the same questions can apply to all vendors. Some questions, such as those about overseas relations or services, may be applicable to all vendors. But to more accurately assess a third party’s risk it is important to customize the questions to match the vendor's use case and scope.

This episode shares how an organization can start drafting these inquiries.

Once the questionnaire is crafted, completed, and returned, a plan should also be in place for how to address the issues that arise from the submitted answers.

Beyond the questionnaire – communication is key

The issue of third-party management rests in the hands of both the company and the vendor. Clear, accurate, and truthful communication between both parties makes both entities ultimately stronger.

Building a stronger security ecosystem

This is an “area where the common good can happen,” says Ryan. If a company can make the third party’s security posture better, then everyone else who uses this third party is made better. It ultimately makes a measurable difference in the entire vendor ecosystem.

The Atkinson 9

In the vein of another famous interviewer, Sean asked Ryan his “Atkinson 9,” a quick Q&A about security. Listen now to find out what our guest said!