Third party risk assessments – are you doing them wrong?

Third-party risk assessment companies pop up everywhere like mushrooms after a summer rain.

Does your responsibility end with using one to qualify a vendor against your security standards?

third party risk assessment blame

Vendors get hacked all the time, and companies like Apple blame vendors like Quanta for the breaches they experience. After all, Quanta Computer Inc. passed the third-party risk assessment check, they signed all the contracts related to their responsibility in the event of a breach, and the responsibility for the breach ends with them, right? 

Wrong. 

Warning: this article will be fairly long. In short: I believe it is the mastodon clients (Google, Microsoft, Apple) who are responsible for the security of smaller and much weaker vendors like Quanta. 

Why? 

Because the leverage of security knowledge and experience, system hardening, following security standards, building secure infrastructure, is with them!

Apple, Google, Amazon, and Microsoft have tens of thousands of security engineers, developers, and lawyers. 

It is them who can build a safe operating template for their vendors and ship it to them as code, instructions, or even hardware!

Let’s make some basic comparisons here. 

Let’s say you wanted to build a house.

Conditions: You possess the ultimate library of knowledge on architecture, the laws of physics, material science, economics, and design.

You share minute details of this knowledge with the architect you contract to build the house. 

Can you blame the construction company for a failure or a defect in your house, which was ultimately due to them having orders of magnitude less information about the laws of physics, material science, economics, and design than you do?

Let’s get back to our vendor example above, Quanta Computer Inc. 

Yes, they got hacked, and Apple data got stolen by hackers. 

Could Apple have sent a set of secure servers and desktops to Quanta Computer Inc so that even if Quanta Computer Inc’s complete network got compromised, the secure servers and desktops and the encrypted data on them would remain intact? They could have. 

Now, Quanta Computer Inc had Microsoft and Google as clients, too. 

Could Microsoft and Google have done the same? The ultimate knowledge of how their data needs to be protected and the ultimate practical skill to do it is with Google, Apple, and Microsoft, not with their vendors. 

Having the absolute advantage of security experience, the largest companies on earth could develop secure operating environments as code and deploy them securely in their own clouds. 

In my opinion, they should not place all their eggs in a flimsy basket of a vendor and then blame the vendor for a security breach because the vendor passed some basic third-party security assessment. 

Larger companies, especially the largest companies out there, have the ultimate responsibility of sharing information on protecting their own data with their vendors. 

But wait, you say, they have published all of that information as documentation online! It is all available!

Really? Is it? And how can a vendor with an almost-non-existent security workforce follow the equivalent of 100 000 pages of instructions without the experience to do so?

Legally, you could blame the vendor. After all, they signed the document, and they legally take all the blame for a breach in their network. 

But… 

From a moral and, most importantly, practical perspective, it is the ultimate and final responsibility of their largest clients to enable the vendor’s security team and practices. 

One might say: “But it is the vendor who got hacked” – and they will be partially right. 

Why partially? Because who gets to pay the final price of damage to their clients, reputation, and recovery from the loss of data? The client, not the vendor. The loss for the client may well be worth tens of times the whole capitalization of their vendor. So if the client’s data was the ultimate objective of the hackers, was it really the vendor who got hacked? 

If the client had all the knowledge and power to protect the vendor or at least the data and the part of the vendor’s infrastructure where this data resided and was worked on, is it really the vendor who gets hacked in the end?

In my opinion, it doesn’t matter how many vendors and their subcontractors and their subcontractors get hacked to get to Apple’s, Google’s, or Microsoft’s (or yours!) data. In the end, hackers get to the client’s data; they don’t care about the middle man. They don’t care if you had a negligent vendor – they want your data!

And if you want your data secure, if you have the means, knowledge, and experience to secure it, if you KNOW that the vendor you chose has fewer security engineers and less experience in protecting against advanced adversaries than you, then it is your responsibility to help them protect your data in the best way you can!

Do you really want to solve the problem, or are you just playing around with blame games?

Clients, if you can protect your vendors by simply creating a secure operating environment for them, please do. 

Especially if you are the likes of a multibillion-dollar or even a trillion-dollar corporation with a cybersecurity workforce the size of a small town. 

Because making a small vendor sign 500-page contracts and making them fill a microscopically basic third-party risk assessment questionnaire in comparison to the global hacking threat and the global adversary knowledge does not solve your own problem of protecting your own data

So how to do a third-party risk assessment without playing Russian roulette

Be realistic about your requirements for a vendor compared with the value of your data and their ability to defend it. 

Everyone and their uncle’s dog can send boilerplate requirements sets to a vendor and a contract ultimately binding any blame for any security breach on them. 

What do you really want? 

Do you want to place the blame on someone in advance? Cover your ass? 

Or do you actually want to protect your data, help your vendor protect your data, and ultimately protect your business and your own clients?

If it is the latter… stop depending on the damn third-party risk assessments and the vendors doing them. Start doing your best with the resources you have and help your vendors do what they do best – their business. Their business is not cybersecurity. Their business is developing software, doing graphics design, producing physical products. Yes, they have some responsibility to hire some cybersecurity workforce and do their best at protecting your data. 

But if you can dramatically change their life by just shipping them a bunch of hardened virtual machines for their servers and desktops, why don’t you just do that? Wouldn’t it be thousands of times cheaper than dealing with the fallout of a major breach?