Episode 3: Third-party Risk Management – Beyond the Questionnaire

Third-party Risk Management – Beyond the Questionnaire


Can a third-party risk management assessment questionnaire be the catalyst for true change to the entire vendor cybersecurity ecosystem? Cybersecurity Where You Are podcast host Sean Atkinson welcomes guest Ryan Spelman, former CIS employee, and now Managing Director at Duff & Phelps on their CYBERCLARITY360 team. Together, Sean and Ryan discuss tactics companies can use to better understand their cyber-risk posture and how stronger relationships between companies and their third parties impact the industry as a whole.

Better use of the third-party risk assessment questionnaire

The go-to “third-party risk assessment questionnaire” being used as a one-and-done exercise is an all too common practice. While completing these questionnaires meets certain regulatory requirements, truly managing risk is about acting on the data collected – not just collecting it.

There is a misconception that the questionnaire is for general information collection and that the same questions can apply to all vendors. Some questions, such as those about overseas relations or services, may be applicable to all vendors. But to more accurately assess a third party’s risk it is important to customize the questions to match the vendor’s use case and scope. To help draft these kinds of inquiries, a company can start by asking:

  • Is the vendor in scope for what you are planning?
  • Is the assessment asking the right questions to align with the plan?
  • Is the questionnaire customized around the vendor’s use case for the relationship?
  • What data is being shared?
  • How is the vendor being categorized?

Once the questionnaire is crafted, completed, and returned, a plan should also be in place for how to address the issues that arise from the submitted answers.

Beyond the questionnaire – communication is key

The issue of third-party management rests in the hands of both the company and the vendor. Clear, accurate, and truthful communication between both parties makes both entities ultimately stronger.

For example, a reasonable approach may be sufficient for smaller vendors with fewer resources. An explanation of their approach to issues that may arise and any measures they have in place to counteract them can be a sufficient amount of information to pass that part of the assessment.

Good communication should not only be part of the initial assessment, but should occur throughout the client-vendor relationship.

Building a stronger security ecosystem

The federal government helps create regulatory drivers, like national cybersecurity standards, as a foundation for companies to work from. And guidance like the CIS Controls provides a prioritize and prescriptive way to meet those standards. An organization can start their third-party risk management plan by adhering to those first. Compliance to these regulations is the first thing auditors would look for if there was an issue.

With the unavoidable shift to a more digital environment, a company may never meet a vendor in person or have the opportunity to review their security measures on premises. With that in mind, companies should take their plan one step further than meeting federal regulations and build a strong communicative relationship with their third-party vendors. Alignment on terms, scope, and expectations should be set from the beginning so everyone has the same approach to move forward together. When both parties develop their risk management plan together, they will each in turn make their individual posture more secure.

This is an “area where the common good can happen,” says Ryan. If a company can make the third party’s security posture better, then everyone else who uses this third party is made better. It ultimately makes a measurable difference in the entire vendor ecosystem.

The Atkinson 9

In the vein of another famous interviewer, Sean asked Ryan his “Atkinson 9,” a quick Q&A about security:

  1. What is your favorite CIS Control?
    Ryan: Control 5
  2. What is your least favorite part of your profession?
    Ryan: The sense of unease of 90% prediction when everything is 100% unclear.
  3. Why do you like the cybersecurity industry?
    Ryan: It is a multilayered and evolving problem.
  4. Why don’t you like cybersecurity?
    Ryan: (laugh) Same answer as above.
  5. What source of data log do you love?
    Ryan: Cyber risk rating tools.
  6. Biggest waste of time in cybersecurity?
    Ryan: Trying to get 0% click rate on phishing testing.
  7. What profession other than your own would you like to attempt?
    Ryan: Writing a novel.
  8. What profession would you avoid?
    Ryan: Mathematician.
  9. At the end of your career, how would you like to be remembered?
    Ryan: That I helped a lot of people.

If only third-party risk management questionnaires were this simple!

Episode Resources: