October 7, 2020

Last Updated on January 14, 2024

With so much critical data now residing in the cloud, and so many newly mobile workers now dependent on cloud-based services, third-party risk management (TPRM) is more vital than ever. Dealing with vendors can significantly increase an organization’s cyber attack surface, as evidenced by the fact that over half of current data breaches involve a vendor.

But when it comes to managing third-party risk, is the added risk all on the vendor? Or is some, most or all of it on the client side?  

Answering that question can be challenging, especially if your TPRM program (assuming you have one, which many SMBs don’t) is based on one-size-fits-all vendor questionnaires that do a poor job of evaluating risk on the vendor side—and nothing to address risk on the client side. 
To help streamline, scale and sharpen TPRM, Pivot Point Security has extended an expert system we developed to improve risk assessment for our clients seeking ISO 27001 certification. The results have been outstanding to date, making us eager to share our “better, faster AND cheaper” risk management approach with a wider audience. 
In a special episode of The Virtual CISO Podcast, John Verry, Pivot Point Security’s CISO and Managing Partner and Kevin Hermosuraour TPRM practice leaddiscuss how this paradigm-busting TPRM solution works and the problems it solves for SMBs. 
One of the most powerful and unique benefits of our expert system (we call it Accelerated Risk Management, or ARM for short) is its ability to analyze not just the risk that a vendor’s security posture present to a client, but also the risk that the client’s business practices present in relation to that vendor. 
When ARM creates a custom, “right-sized” questionnaire for a specific vendor, it also creates a questionnaire for the client’s internal use. The purpose of this second questionnaire is to help the client understand risks in their internal control environment. 
As Kevin explains, “The reason we do that is because of the shared responsibility model. We need to take a look at our internal controls as well as the vendor’s controls, and combine those two analyses into what I call total solution risk.” 
Take a vendor that provides office custodial and plant-watering services. To evaluate total solution risk you’d want to gather risk-related information in two areas: 

  1. Does the vendor do background checks on its employeesappropriately secure your billing/payment data, etc.? 
  2. Are your internal controls (clean desk policy, closed circuit TV, electronic badging, etc.) sufficient for secure custodial access?

Or what about a SaaS offering like Salesforce? Does the fact that the vendor can provide a SOC 2 or ISO 27001 security attestation mean that your data is secure? Not if you fail to implement multifactor authentication, give all your salespeople admin levels of access, let everybody use weak passwords and never do any security awareness training. It’s the combination of your controls plus Salesforce’s controls that determine total solution risk for that relationship.

“I find it remarkable that when we consider outsourcing a solution we don’t consider our contribution to the security of that solution,” shares John. “ARM forces us to consider that [shared responsibility].”



Indeed, the conventional TPRM approach and mindset inherently puts the onus on the vendor’s controls. But when it comes to scenarios such as SMBs contracting with global cloud leaders like Microsoft or Google, it’s likely that the client’s controls (or lack thereof) present the bulk of the cyber risk.
“I can’t count how many times I’ve seen some sort of system misconfiguration, ‘SSH open to the world’ kind of thing,” echoes Kevin. “If there’s an AWS S3 bucket that exposed, that’s on you, not on Amazon, right?”
If your business would benefit from radically improving the cost, time and results for its TPRM program, or would like to start a TPRM program on the best possible foundation, don’t miss this special episode of The Virtual CISO Podcast with Kevin Hermosura.
Click here to hear the complete show and access all the other episodes of The Virtual CISO Podcast as well.
If you don’t use Apple Podcasts, you’ll find all our episodes here. 

SOC 2 vs ISO 27001 (Or Both)

What every Software-as-a-service (SaaS) firm needs to know in order to acquire/maintain independent validation of their security posture.
View our guide today.