Ohekpeje Odey, CC shares his experiences of the pros and cons of using external risk assessments, rather than just those carried out by your own cybersecurity team, to analyze the cybersecurity status of an organization.

Ohekpeje Odey, CCAs cloud environments become increasingly important for organizations, third-party risk assessments have emerged as a common practice to identify potential security issues. These assessments often include vulnerability scans and checks for misconfigurations.

Recently, our company brought in external vendors to perform such scans on our cloud resources. My team worked with resource owners to address the recommended fixes. However, we discovered that many findings were in fact false positives.

The external assessors lacked the context to understand why certain configurations were in place, as our internal teams follow best practices tailored to our specific environments and unique situations. This experience highlights the benefits and challenges of third-party risk assessments in cloud security, where understanding context is crucial. Let's explore these advantages and limitations, as well as discuss strategies for security professionals to get the most out of third-party assessments while effectively managing their challenges.

The Upside of Third-Party Risk Assessments

From my experience, there are four clear positive aspects to pursuing a third-party assessment approach:

  • Fresh Perspective – External assessments offer the prospect of fresh sets of eyes. They bring in other people who may not have been working with a given system or infrastructure just as insiders do. This outside look can be very useful, especially where the firm’s compliance, control effectiveness, or compliance with industry standards is in question.
  • Experience and Equipment – The number of third-party vendors increases owing to certain specialist skills and better tools that help them assess intricate cloud environments. In organizations that may not have the resources to seek professional outside opinions on an on-going basis, these assessments provide a gateway to expert opinion on their security status, possibly enhancing the general security.
  • Standards Alignment – Third-party assessments help arrange organizational security provisions according to industry standards such as NIST, ISO, and CIS. This alignment can benefit rule compliance. This format may be equally beneficial for audit preparation, which might minimize the time and money spent on preparation.
  • Handling Growth – Technically, when organizations grow, the cloud environment also becomes distributed and large. Third-party vendors can offer the possibility of systematic risk review when it comes to large cloud infrastructures. This is quite helpful in situations when there are both on-premises and cloud systems, it is often challenging to manage and secure them.

The Challenges of Third-Party Risk Assessments

At the same time, my experience highlighted several clear issues and obstacles that need to be considered and dealt with when using an outside risk assessment perspective:

  • False Positives – One of the main problems with third-party assessments is that the number of “false positives” can be high; findings which look high risk but are not vulnerabilities because controls or certain configurations already exist. This often happens because external vendors do not understand the organization’s context and thus there are misunderstandings and as a result sometimes many fix efforts are carried out that are not efficient or even needed.
  • Missing the Big Picture – Outside vendors may not be fully aware of an organization’s extended security environment. This can lead to suggestions that are completely off the mark for the organization in a given production environment. For example, some patterns that conform to internal best practices could be identified as vulnerabilities and therefore could result in time and money being spent to fix them even if they do not present risks.
  • Cost Considerations – Outsourcing to third-party suppliers is costly, especially when an organization has good internal controls that deal with many of the risks involved. When assessments are mostly highlighting false positives, the worth of money diminishes. Furthermore, pricing where you are charged per resource or the frequency at which assessments are conducted can be extremely expensive, especially for those who heavily rely on clouds.
  • One-Size-Fits-All Approach – Interestingly, third-party vendors’ approaches are more structured and contract-based, which occasionally results in proposals that do not take an organization’s acceptable level of risk or operations into consideration. Security teams can get recommendations on the vulnerabilities to address that are low risk, but do not fit the plan or risk tolerance of the company – thus creating work for little to no value added to the security of the organization.

Making the Most of Third-Party Risk Assessments

To effectively balance the benefits and challenges of third-party assessments, organizations can try these strategies:

  • Set Clear Goals – Having a clear scope and objectives for the assessment reduces focus on the risky areas only and greatly minimizes the probability of creating false alarms. When these parameters are pre-specified together with the vendor, the outcomes of the assessment will be meaningful.
  • Provide Context – When information regarding current control and security architecture is disclosed to third-party vendors, their perception of the organizational configuration can be enhanced. This collaboration eliminates situations where one, or both, of the tools issue false positives, assisting the assessment to offer outcomes that are both valuable and precise.
  • Integrate External and Internal Checks – Third-party assessments generally should stand as reinforced, complementary measures to a business’s internal audit work. By assessing the organization’s internal conditions periodically and continuously monitoring the situation, the organization can double-check the third-party results and stay in control of security issues. This procedure can assist in diminishing the reliance on outside evaluations, while retaining the advantages that go with them.
  • Focus on High-Risk Issues – Another insight raised was that not all findings reported by third-party firms should be worked on: it’s better to focus on what security teams deem most important. By targeting high-risk areas, teams can hopefully manage their resources better, ensuring that key risks are tackled without teams getting bogged down with less relevant issues.
  • Adjust Assessment Frequency – Third-party assessments are arguably not necessary for organizations which already have robust security programs in place. Thus, by specifying how often assessment should be conducted depending on risk, regulation and experience, one can maintain resource allocation and control costs, developing a unique schedule for further assessments.

Outside opinions regarding third-party risk assessments in cloud contexts are beneficial to fortify an organization’s security. However, they also present particular problems such as assessments that yield false positives due to insufficient shared context within an organization. The proper approach is to work with external consultants for certain aspects of assessments but also offset their involvement with relevant internal knowledge in order to use these evaluations to their full potential.

Third-party assessments, when properly scoped and structured, offer valuable insights and findings for security professionals, forming a strong partnership with vendor organizations and serving as a strong synergistic force in fortifying cloud security in areas complementing internal efforts in a cost-effective solution.

Understand the value that third-party risk assessments offer, as well as the limitations of any model that does not consider all facets of cloud security. Offer critical insights and tools to security decision-makers to help them successfully engage. Address the sometimes confusing and perplexing array of strategies and challenges that impact security in the cloud.

Ohekpeje Odey, CC is an information security engineer with experience in cloud security and risk management. He currently supports secure cloud infrastructure practices within the healthcare industry.