CISOs are acutely aware of the complexity and threats resulting from the increase in third parties accessing their data, whether it’s suppliers, outsourced providers, contractors or business partners.

Vetting hundreds and possibly thousands of businesses and agreeing and monitoring strict contracts is great in theory but can be very difficult in practice. While there are plenty of ideas, the cyber security profession lacks a comprehensive solution to this conundrum, with all CISOs working to find ways to verify the reliability and continuing security of third parties.

Collective threat intelligence helps satisfy regulatory challenges and makes the community stronger

Prasad Jayaraman
Americas Region Cyber Security Leader and Principal
KPMG in the US

Towards greater trust

Addressing the challenge

As they face the challenges of securing data across multiple parties, CISOs have a number of options.

Tightening up the supply chain

Contracts and compliance are an obvious place to start, with clear guidelines on due diligence before signing a contract, and more controlled and restricted access for third parties, if there’s a concern they can’t meet the required cyber security standards.

Automation also has a role to play, building machine learning and establishing automated risk assessments, which is a good way to manage the scale of the problem, with many companies already facing a backlog of a thousand or more vendor assessments.

Until you build a solid platform consisting of operations, SecOps and security by design, purely to give a strong secure foundation, you can’t build outward to handle third party stuff. Don’t run before you can walk or a basic vulnerability will take you out.

Andy Powell
CISO, Maersk

Intra-industry collaboration

There’s a broad acknowledgement that CISOs cannot solve this problem alone, a point emphasized by Greg Day, VP and CISO, EMEA, Palo Alto Networks: “We need to build industry communities to allow data sharing, coordinating at an international level, with more sharing of key cyber threats, rather than just trend analysis.

Working with a range of stakeholders

KPMG thinks

There’s no quick fix to the threats inherent in the complex web of relationships that characterize today’s supply chains and outsourcing environment.

Industries like financial services have shown the value of collaboration across a number of common challenges. Working together to share intelligence and knowledge, to learn from others and present a united front, benefits all the players. Philipp Südmeyer, Group CISO, Munich Re, says “A lot is about personal relationships; when you know and trust people, you can talk about x, y and z and build deeper relationships.” This extends to relationships with regulators, to work as a team to proactively manage cyber security issues and defend communities

In the UK, for instance, the Active Cyber Defence (ACD) program’s stated aim is to 'Protect the majority of people in the UK from the majority of harm caused by the majority of cyber attacks the majority of the time’ — a concept that could be applied to broader ecosystems to defend against an increasingly aggressive and sophisticated threat landscape.

As we become more virtual and digital, CISOs’ role moves away from being enterprise-centric, recognizing that they’re not alone. Collective threat intelligence helps satisfy regulatory challenges and makes the community stronger.

Prasad Jayaraman
Americas Region Cyber Security Leader and Principal
KPMG in the US

A new era of cooperation

Conventional third party security offers the illusion of confidence. Embedding security into contracts offers limited assurance, while point-in-time assessments don’t give a real-time view of third party risks — and can become unmanageable as organizations begin to consider fourth, fifth and even sixth party providers.

In addition to addressing in-house concerns, CISOs must turn their attention to playing their part in securing the wider ecosystem through collaborative action.

Coming soon

In early 2022, KPMG will be presenting a new piece of thought leadership on the third party cyber security threat and the need for collaboration to protect the cyber security ecosystem — look out for this on kpmg.com, LinkedIn and Twitter.

Explore more articles from this report