Take Your TPRM Program to the Next Level
An AuditBoard survey of over 800 risk and compliance professionals found nearly 37% rated their business’s third-party risk program maturity as either nonexistent or simply reactive. This report explores key third-party risk management principles, as well as practical tips for building a successful TPRM program.
By Mick Brady
There are no indications of settling in the tech environment as the global health crisis wanes; cloud security threats continue to evolve as cloud services expand. Organizations that aggressively ramp up their defensive strategies and reinforce their security mindset will gain an edge, but it may not be clear how to accomplish those goals efficiently.
A recent survey from Proofpoint and the Cloud Security Alliance (CSA), "Cloud and Web Security Challenges in 2022," identified three top cloud security concerns:
- Protecting data
- Managing risks associated with third-party relationships
- Adjusting to the digital transformation
In a recent conversation, lead author Hillary Baron, senior technical director for research at CSA, suggested some ways security professionals can keep up as their organizations’ reliance on the cloud expands.
Revisit Your Data Security Strategy
It’s important to develop an encompassing strategy that covers both breach prevention and response. An effective backup plan, strict access management, and compliance are three critical areas to address. However, developing a strategy is just the beginning—it must be updated and evaluated continuously to ensure alignment with the organization’s evolving needs.
Check your backup plan. “A robust backup strategy is always great as a fallback in instances like ransomware,” said Baron. “There can be some issues if it isn’t included in a whole strategy, though. With backups, if you even lose half a day’s work or half a day’s data, that could still potentially be pretty damaging. So, making sure those backups are as up to date as you can get them—that’s a big thing.”
It’s important to know how to transition to your backup as quickly as possible, to know who’s doing what and under what circumstances. It’s ideal to run a drill, Baron suggested, because “talking about a fire drill is very different than actually going through with it.”
Lock down access. Make sure that access is locked down to protect against lateral movement within the network in the event an individual account is compromised, Baron advised. In addition to placing tight restrictions on access, encrypt sensitive data so that intruders will find it unusable.
Take compliance seriously. “Make sure you maintain your compliance, because that’s going to be a really a big deal if you’re breached,” Baron said. A breach will be a lot less of a headache, particularly from a legal perspective, if requirements of applicable laws and regulations are met.
Secure your supply chain. “There’'s a huge emphasis right now on supply chain attacks. There’s a lot of concern around that currently because once attackers find something that works, they like to continue to use it,” Baron noted.
Vet third parties. Make sure you investigate your vendors before signing them, she advised, noting that big isn’t always better. “I think sometimes that’s an assumption that folks will make,” said Baron, “but the large companies still have their own problems. So, understand who your vendors are, understand what their privacy and security strategies are.”
Comparison shop. Investigate whether vendors are adhering to their own compliance requirements. And if they have any certifications outside of what’s required, that could be a plus. “CSA’s STAR program [Security, Trust, Assurance, and Risk] will let you know what a vendor is doing in terms of its cloud security strategy and what controls it has in place,” said Baron. “Take advantage of programs like that to compare their strategies before engaging vendors.”
Change, Adapt, Evangelize
As if it weren’t challenging enough to maintain an effective cloud security posture in the face of rapid digital transformation and pandemic-related workforce changes, the ongoing cybersecurity skills gap adds another layer of difficulty.
Automate threat prevention. Make sure automation is in place for as many processes as possible, said Baron. “People are in really high demand. Everyone’s trying to outpay the competition to get someone on the job, and then those people are overworked because there aren’t enough people to go around. So then they’re exhausted. They might be making errors because they’re not able to take enough time off or, at best, they’re working while stressed. People are leaving the industry because of that. It’s a huge problem.” A mind-boggling 95% of security breaches are traced back to human error, she noted.
Use open source tools. Automating with open source tools can be very cost-effective, especially for small security teams, Baron said. “There are lots of open source projects out there that will do free scanning. You can run scans on IP ranges and networks to check for vulnerabilities, and that’s something that’s a quick win, something that doesn’t leave room for human error."
Build relationships. Security training should be built into the fabric of the organization. “Sometimes organizations will view it as something they need to do in order to adhere to certain compliance requirements,” Baron said, but “in order to make a lasting impact it has to be consistent messaging. It has to be consistent coaching.” Mistakes should be addressed in real time—not weeks later when recollections have gotten foggy, she cautioned. Also, make sure security requirements don’t hinder staff from getting their jobs done.
Keep Learning"Some of this is just going to come down to good old-fashioned research," Baron acknowledged—that is, digging through Twitter threads and Reddit and so forth. To really be up to date, it may be helpful to attend some conferences, she suggested. Further, "there's lots of industry organizations that have newsletters that can break down what's going on in a particular space. A lot of people have security alerts (e.g., Google Alerts) for specific terms so that they know if something's changed in the space or if there's a lot of news surrounding a particular topic."
For further information, Baron recommended CSA's "Top Threats to Cloud Computing: Pandemic Eleven." In addition to listing the 11 top current threats, it identifies who's responsible and where the risk resides in the architecture and lists potential business impacts and the security controls relevant to each.
Mick Brady is a Ventura, Calif.-based freelance writer and past contributor.