Third-Party Risk Management Vs. Provider’s Accountability

By Antonio Ramos Garcia, CISA, CRISC, CISM, Jonah

The Nexus  |  Monday, 11 November 2019

Lately, I have been reflecting on the need to assess third-party risk and how other business sectors have mitigated this risk in the past. I have concluded the origin for this need is what economists call a “market failure.”

The first issue worth noting is that our need for third parties to guarantee the security of the goods and services that they provide us with is no different than our need for assurance that products we buy from an assembly line meet quality standards, or our need to trust that the food we buy from the grocery store is safe to eat. We are facing a trust issue.

We need to be able to trust that third parties are providing organizations with goods and services that meet the level of quality that organizations expect. Economists say that the best way to trust is to recognize that perfect information exists in the market. Meaning that the consumer of a product or service can know the characteristics of the product or service before purchasing it and can make a decision that considers all relevant factors.

Economists say that the best way to trust is to recognize that perfect information exists in the market.

But what happens when perfect information does not exist? Basically, markets need to develop alternative mechanisms to provide it. And here is where we can find a big difference in how other sectors have solved this market failure compared to the cybersecurity sector.

In other sectors, the answer has been accountability. If a car’s brakes fail under warranty, the vendor may be liable to replace them and could have to bear the costs associated with a car accident. Those who put a product on the market must take accountability for the behavior of their product in the case that it fails.

But what happens in the cybersecurity sector? It seems that since we have failed to establish a system to measure the level of cybersecurity around a good (product or service), we have subsequently given up on defining a system of responsibility and accountability for third parties. As a result, we must evaluate each product or service individually before using it, channeling “trust, but verify.” But by evaluating each good on a product-by-product basis, this brings us closer to what economists predict about markets with imperfect information: market collapse. Since customers cannot trust that goods have the level of security they expect, they assume they have no security and, as a consequence, vendors that do produce secure goods are expelled from the market due to higher production costs.

Imagine for a minute we are back in the time of the ancient Romans. Leaders may have had to designate a food tester to ensure that their food was not poisoned. That is essentially what we are doing today in cybersecurity. We cannot trust our vendors, so we must assess or audit each provider to check if they are trying to sell us a product with a low level of security.

It is urgent that the cybersecurity market develop objective and transparent assessment mechanisms that allow customers to trust vendors. This would allow deceptive vendors to be expelled from the market instead of trustworthy ones.

Returning to the economy comparison, financial markets have used a rating mechanism for centuries as a tool to preserve transparency. We should aim to emulate this mechanism in the cybersecurity sector, especially if no one is developing a different solution.

Antonio Ramos Garcia, CISA, CRISC, CISM, Jonah

Is founding partner and chief operating officer (COO) at LEET Security Rating Agency, Spain.