Organizational cybersecurity leaders manage countless risks on the job. While chief information security officers (CISOs) and other cyber stakeholders aim to mitigate and prevent security threats within their institutions, it is important to look closely at third-party vendors when deciding whether or not to enter into a partnership.
Security leaders discussed how to manage third-party cybersecurity risk at the Information Security Media Group (ISMG) Cybersecurity Summit, detailing the steps they've taken at their institutions to maintain data privacy compliance.
1. Vetting third-party software vendors
With the amount of cyber threats facing organizations today, it's important for CISOs to focus on what they can control. When Shefali Mookencherry, CISO and System Director of Information Security at Edward-Elmhurst Health, helped secure the organization during a recent merger, she focused on the importance of vetting third-party vendors. Using NIST standards, it can take between four to six weeks to ensure vendor cybersecurity, according to Mookencherry.
"One of the things that we do control very strictly is our vendor supply chain management — looking at our vendor security, risk assessments and understanding what is it that the vendor is coming to us with," said Mookencherry. If the vendor doesn't meet an organization's security standards, "[CISOs] have the ability to say no — we have that control."
2. Increasing risk awareness organization-wide
Karen Habercoss, Chief Privacy Officer at the University of Chicago Medicine, believes that breaking down internal siloes can help reduce vendor risk. By having the security, privacy and legal departments communicate about vendors throughout the investigation and onboarding process, organizations can ensure that cybersecurity risks are mitigated by incorporating a variety of perspectives in discussions about the third-party vendor partnership.
"Privacy and security both are not often brought in organizationally from the beginning," said Habercoss. "So many times, we hear about initiatives after [they are] much further down the road, and we could have had a bigger impact. If we would have known sooner, we might have architected something differently or made comments about how policy might have happened."
3. Ongoing check-ins
The cybersecurity team's role doesn't end after vetting a third-party vendor. Ashley Huntington, Compliance Officer and Interim Privacy Officer at Cook County Health, spoke about the importance of continually checking in with vendor partnerships.
After screening and signing a contract with a new vendor, the solution's integration team began asking for unexpected data from Cook County Health. When a security team member flagged this activity and brought it up to the legal department, they were able to identify the issue as a matter of contract interpretation and, ultimately, protect the data of their users.
"It really was a case of the vendors, legal and operations teams not communicating it to their implementation team," said Huntington. "Communicating to the organization that if you really sense that something could be wrong — it doesn't matter if you're a product manager, a CISO or a privacy officer — if you sense that something might be wrong, it is okay to put the brakes on it and check in with your folks first."