Vice President, Third-Party Risk Management
As vice president, third-party risk management, Robinson oversees Optiv’s Third-Party Risk Management practice which includes the development and operations of TPRM-as-a-Service and Evantix. During his tenure at Optiv, he has worked as a core contributor around strategic internal initiatives including threat management, risk management, third-party risk management, vulnerability management and data program protection. He also develops and delivers a comprehensive suite of strategic services and solutions that help chief experience officer (CXO) executives evolve their security strategies through innovation.
DDoS Threats: Are Your Third Parties Protecting You?
In the next thirty seconds, jot down the top online service providers your organization uses.
Now, jot down service providers that may not be online but could be impacted by a distributed denial of service (DDoS) attack.
Take a minute to prioritize those vendors by criticality. How critical are these providers? How do they impact your day-to-day operations?
Next step…what is your next step?
There’s evidence that ransomware may be evolving beyond holding data hostage. In recent news, DDoS attacks were used as a threat against organizations, shutting down their internet connections and holding the organization for ransom. DDoS attacks aren’t new. And while this new use of DDoS may be alarming, we need to pause and look at how business works in our interconnected world.
I asked you to take the steps above to highlight that many of us aren’t prepared for a coordinated vulnerability or a threat response plan, in which we proactively ask our service providers about threats that could impact them, and in turn, impact us. And when we do have a plan, normally, it is painful and entails shooting out emails and combing through previous assessments and data and looking for controls that could mitigate a specific threat.
Keep in mind, a risk management and information security program which has a strong third-party risk management team—combined with a program that has a strong threat management team—will be in a great position to complete this analysis. Unfortunately, and quite often, this is not the case, leaving us and our partners in a critical position.
As I thought about how I would traditionally approach these threats, I have to admit my strategy is still the same, however, the details are a bit different. Let’s look again at the approach of Predict, Prevent, Detect, Respond and Recover.
- Predict — Determine when the likelihood of a third-party breach is rising. For this step of the strategy, you must watch for attacks that could impact your industry as well as the industry of your service providers.
- Prevent — Minimize the probability and/or impact of a third-party security breach. Establish how to prevent a third-party breach, and consider why repetitive security reviews and due diligence are necessary. For this step, you want to know your third parties and also look at business resiliency where key third parties are located. You also might take a look at specific controls from third-party attestations and certifications based on the threats you have identified.
- Detect – Learn how to detect a third-party breach, and why repetitive security reviews and due-diligence are necessary. Educate your business partners on reporting third-party outages to your team. Also, make sure contractual language exists in which third parties notify you of services impacting cyber attacks.
- Respond – Have a game plan for your team and the business when an attack or notice of an attack occurs. Ask yourself how you would understand the impact, source of the threat and how your organization would continue with business operations.
- Recover – Quickly recover or assist in the aftermath of a third-party breach. When you are recovering from a third-party cyber incident involving disruption of services, there could be impact to your clients, customers and stakeholders. Determine if you are ready to respond publicly as an organization in the case that one of your third parties has an incident. Remember, you might not be able to share details immediately, at least not publicly. Have a solid post-incident PR plan in place for these situations.
As we develop more and more interconnected and service-based business processes, we certainly will be faced with challenges from third-party breaches and cyber incidents. While this might not be your top concern as a security organization, evaluation of the problem and threat from a business perspective warrants having serious discussions. You can put an effective cyber-security roadmap into place today to mitigate issues in the future.