Monitoring Third-Party Breach RisksBitSight's Stephen Boyer on the Merits of Continuous Monitoring
Target is the high-profile example, but many organizations have been breached through third-party vulnerabilities. Where are the security gaps, and how can they be filled? BitSight's Stephen Boyer offers insight.
Boyer, CTO and co-founder of BitSight Technologies, sees the Target breach as transformational for the industry. It showed that a CEO could be fired as a direct result of a breach.
"Now what we're seeing is boards of directors getting much more involved," Boyer says. "They're asking questions about cybersecurity performance."
And they want to know specifically which of your third-party service providers leaves you most vulnerable to a breach.
As organizations examine these relationships, they also increasingly turn to continuous monitoring solutions. "[This movement] is a lot different than typically what has been done in the past, which is 'how do I get continuous visibility into not just myself, but also my third parties, so I can better understand where the risks are and take action in a timely manner?'"
In an interview about data breaches and third-party risks, Boyer discusses:
- How recent breaches have deeply impacted organizations;
- Results of a new Forrester survey of third-party risks;
- How continuous monitoring can help organizations reduce these risks.
Boyer is the CTO, co-founder, and board member of BitSight Technologies. Previously, he has worked at Saperix, Lincoln Lab and Caldera.
TOM FIELD: In the past year, we've seen so many high-profile data breaches. I'm thinking about Target, but certainly that there were others, and they resulted because of third-party vulnerabilities. As I talk with security leaders, I certainly hear their frustration in trying to mitigate something that they can't control and to prepare their organizations to respond to an incident that really doesn't happen on their purview. Does that match what you've seen in the past year as well?
STEPHEN BOYER: Absolutely. I think you articulated it really well. It has been very transformational over the last year. I would say the Target breach, having the CEO let go from that, has really been a transformational event for the industry. Now what we see is that boards of directors are becoming much more involved. They're asking questions around cybersecurity performance and also wondering how we are doing with respect to our supply chain and our third parties in trying to mitigate those risks. That's moving up to the board level.
Additionally, what we're also seeing is risk transfer options. Companies realize that even if they invest heavily in security and train their staff, there's always some risk or some threat that they can't account for that they want to be able to transfer into cyber-insurance. We're seeing a growth there.
Then, also, we're seeing legislators perk up and become much more interested and asking more questions than they previously had been, specifically with respect to third-party risk management.
Impact on Breached Organizations
FIELD: You make a good point. I traveled to a lot of places all over the world in the past year, places where you never will find a Target store, but everybody knows about the Target breach because it resulted in the CEO losing his job. When you look back on Target and some of the other high-profile breaches, what do you see as common threads in terms of the impacts on the organizations that were breached?
BOYER: It really kind of depends on the situation of the company and their industry. But what we've seen is that companies have moved to an outsourcing model. For all the variety of efficiencies that exist in terms of cost and capability, they have outsourcing open up their networks and provide data to someone else, and they've increased that trust relationship, which has been a very difficult thing to manage and mitigate. "I'm now moving the parameter of my company and I'm extending the enterprise out to a variety of different companies." That could be somebody who's providing heating and ventilation; that could be someone else who's providing some sort of IT services. They all have access into data or into the networks, and those are points of vulnerability.
FIELD: You just conducted a new survey with Forrester that's on third-party risks. Can you share with me some of the key findings?
BOYER: Absolutely. What Forrester found as they talked with executives across the U.S., UK, France and Germany is that they are outsourcing. They have to, right? The efficiencies are just too powerful. But they are looking for better ways to manage those risks. They're looking for solutions that are much more data-driven, that are scalable, and allow them to operate with roughly the same resources and budgets that they have, which is a challenge. But they're really looking at, "How are we doing things today, and how can we get better visibility?" For us, it's seen as a move toward continuous monitoring, which is a lot different than typically what has been done in the past, which is, "How do I get continuous visibility into not just myself, but also my third parties, so I can better understand where the risks are and take action in a timely manner?"
Forrester surveyed these IT security professionals and asked them, "What are your critical priorities going into the next year?" Eighty-two percent, which is the highest group, said they're really concerned about regulatory compliance, which is at the highest criticality level. But just behind it, at 79 percent, was ensuring that their business partners complied with their security requirements. Right up there with worrying about regulators was looking at this third-party risk, and they looked at a variety of different factors that could be measured and understood from a third-party perspective. But what we learned is that about two-thirds, or 60 percent, really wanted to be able to track and monitor, but only about 20 percent were actually doing something on a regular basis, monthly or greater. There's this really large window and spread between those who really want to be able to do it and those who are actually doing it.
Then when Forrester asked, "What kind of impact would you see by actually doing more continuous monitoring," 65 percent predicted a major or moderate benefit by doing critical monitoring of third parties, and, particularly, 63 percent thought it would help them screen their vendors. Another 62 percent thought it would actually help them manage the configurations and understanding the vulnerabilities of those third parties.
FIELD: That's a great topic, monitoring. Where do you see the gaps in how organizations are currently monitoring security, specifically in their third-party relationships?
BOYER: Typically, today everything is done through the questionnaires, which is mostly self-reported; sometimes [they are] audits onsite. Occasionally there will be penetration tests and scans, but they're very episodic. They're usually done at most once a year. We see [that] with large organizations. And there's a huge time window there between the time you do the assessment and how dynamic the landscape is for the threat landscape and when you have visibility.
The other challenge there is doing that at scale. There are global organizations that have literally thousands of third parties that have access to their data or their networks. Scaling to something like that is a real challenge. Oftentimes this process of manual questionnaires really only accounts for a fraction, typically at the highest criticality set of vendors. The reason why they don't do the entire set is because it's costly. It's costly from a resource perspective and from a talent perspective. By the time they get through it, a lot of things have changed. The big gap is how do I get to empirical measurement, get it in a timely way and how do I scale that across my ecosystem? [Those] are some of the big challenges that these organizations face.
Role of Continuous Monitoring
FIELD: In talking about those gaps, what do you see as the role of continuous monitoring to help fill them?
BOYER: The name of the game here is visibility and risk management. If you do not have visibility, if you do not have any measurement, it's really hard to go and take mitigation action. It's hard to have that data-driven conversation with a third party if all you have is the result of the questionnaire from six to eight months ago, even if the threat landscape has changed. What we've learned in government and other places is the movement toward much more empirical measurement to drive better risk management. Continuous monitoring is just upping the frequency. What can I empirically derive at a high frequency to help me focus and prioritize on what may be a risk to me now? That could change from week to week and month to month. If you're not watching on a frequent basis, you're going to have gaps. We're seeing a lot of the regulation come out and in best practices where they're moving toward continuous monitoring. Because the threat landscape is so dynamic, you need to be able to detect and address issues very quickly, by upping the frequency towards continuous, and continuous may be day over day or month over month, but certainly not year over year. You're improving the visibility and you're able to better manage those risks.
Tackling the Risks
FIELD: BitSight is all about monitoring. How are you helping your customers monitor and respond to the third-party challenges we talked about today?
BOYER: We are seeing our customers use security ratings in a variety of different ways, as we are rating companies and monitoring the different activities that we can empirically measure. We're seeing them even just outside of vendor risk management. From benchmarking an organization's performance, I bet they report up to the board - "here's how we're doing compared to our peers, compared to the competition, compared to our industry" - up to negotiating cyber-insurance premiums with carriers and due diligence in mergers and acquisitions.
One interesting story is we heard about an organization that had gamified security by using security ratings and the updated monitoring to track their performance. "How are we doing? Are we getting better over time, as compared to what BitSight sees?" We've actually heard from several of our customers that they're using the security ratings and the monitoring to apply pressure to vendors to get additional testing and to improve or up cyber-insurance policies. They're managing and doing that risk transfer in that way so that they can understand how [they] manage those risks over time.
Then [there are] also conversations. These are conversations that are happening based on data and measurement. We've seen one of our customers who was watching one of their third parties, saw an issue and went to that organization and identified that issue before major data loss. It's just [being] much more proactive as opposed to waiting for that phone call when they're announcing a major data breach.
Changing Threat Landscape
FIELD: As we know, these breaches don't occur overnight, the challenges don't arise overnight and the solutions aren't going to come overnight. Bottom line: where can organizations start this process of getting a better handle on their third-party risks so that they're not the ones issuing that breach notification?
BOYER: I think it starts with the recognition that the landscape has changed. The Forrester survey and everything that we've seen from the regulators and the landscape has said that the status quo is no longer sufficient. When you look at organizations that are doing the manual assessments, they need to move to continuous monitoring. If you're not doing anything, you really need to be aware of the risks that you're undertaking and put a program in place. What we're seeing is organizations using security ratings and continuous monitoring, really a minimum standard of care. This is where I can start in a very time- and cost-efficient way, and now I can prioritize my efforts. Now I can focus where there is a risk, and they can really work to improve. I think that we see the landscape changing where [with] Heartbleed and Poodle, those things came out virtually overnight. If you did not have an answer, if you didn't have a way to go back, you just didn't really understand the exposure that you had.
What we're seeing is organizations adapting really novel and new ways of getting better information, driving those conversations with third parties, doing it in a very timely way, so they can better manage their efforts and do that in a way that they are maximizing the budget that's given to them rather than focusing on the risk that can negatively impact the business that we've seen in so many companies over the last year.