How to Align Business Agility with Vendor Risk Management
By: Glen Singh
Cybersecurity Engineer, United Independent Petroleum Marketing Company Limited (UNIPET)
LINKAGE Q4 (2025) - HSSE 360: INNOVATION FOR RESILIENCEAs the world continues to evolve and businesses grow, there are many organisations that face the continuous situation of onboarding either new or working with existing vendors that always have the potential to introduce cyber-risks within their organisation. While many companies try to adapt to speed-to-market performance, overlooking cyber-risks often leads to shortcomings in cybersecurity and lack of due diligence. This article focuses on helping organisations to reduce third-party cyber-risk by exploring industry frameworks and approaches in better managing and working with third-party vendors.The challenge with third-party vendorsImagine if an organisation never relied on another company to provide products or services and did everything in-house. This means that the organisation would need to specialise in many types of industries, such as mining for acquiring materials from the earth, construction for building new offices, telecommunication for setting up network connectivity and many more. Nowadays, you’ll notice there’s inter-organisational linkages and resource dependencies. Whereby, not all organisations are able to acquire their raw materials, build or develop their own software applications, establish long-distance network connections or labour for creating new offices. For instance, your organisation may be categorised as a large enterprise spanning multiple countries with many branch offices. To enable employees from remote offices to share and access corporate resource, your organisation will require a Wide Area Network (WAN) solution from a Managed Service Provider (MSP) such as a local/region telecommunication provider. Using a third-party vendor such as an MSP may reduce the cost for proactive monitoring and resolution of any issue. While the in-house IT professionals can focus more the daily operations, the MSP focuses on ensuring the Managed WAN service is always functioning and available when needed, hence reducing downtime. Alternatively, your organisation can choose to set up a Site-to-Site Virtual Private Network (VPN) using its existing firewalls on its network-edge and leveraging the skills and knowledge of its in-house IT team. However, if the VPN solution should become unavailable, the in-house IT team would be primarily responsible for resolving the issue. If they’re unable to resolve the problem due to limited knowledge, skills or experience, the branch locations affected will remain unavailable. Hence, the need for using a third-party service provider in this scenario.Cyber-risks with third party vendorsIt’s important to consider the various attack surfaces and vulnerabilities that exist within organisations and even with third-party vendors. For instance, many organisations are looking into exploration and diversification of their business, hence creating a Business Transformation and introducing new business units such as DevOps (Developer + Operations). Many developers focus on speed to get a project ready for launch, and they often overlook the software supply chain risk. Software supply chain risk is created by any dependency on open-source software packages such as libraries and shared code repositories used for software development. Threat actors such as cyber-criminals focus on injecting their malicious code into these software components to perform an attack known as Trojanising. A developer who integrates compromised software packages into his or her applications has now introduced a new cyber-risk to anyone who uses it.There are many Managed Service Providers (MSPs) and Cloud Service Providers (CSPs) around the world. However, those service providers also introduce another supply chain risk. While many companies heavily rely on MSPs and CSPs, sometimes these providers are granted privilege access into organisations’ infrastructure. Cyber-criminals attempt to perform an exploitation technique known as Island Hopping or Trust Exploitation, whereby a threat actor seeks to compromise the trust between the service provider and their customer. For instance, by compromising the technical integrity of the service provider’s systems, the threat actor can gain unauthorised access to their customers’ networks or systems. This technique does not target the primary cyber defences of the customer but the trust relationship instead.Let’s not forget about Operational Technology (OT) and Internet of Things (IoT) supply chain, another high-risk area. There are many organisations around the world that leverage both OT and IoT systems due to their industries. Such systems introduce another type of supply chain risk in cybersecurity. There’re many unpatched and misconfigured OT and IoT systems with direct internet access that enable cyber-criminals to easily access those systems from anywhere around the world. Threat actors have the capability to exploit those security vulnerabilities, gain access to them, and expand their foothold within an organisation’s infrastructure. Frameworks and approachesThere are many industry-recognised frameworks that can be leveraged and implemented within your organisation. For instance, the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) uses a risk-based approach for cyber-risk management for identifying, protecting, detecting, and responding to cyber-attacks and threats. The NIST CSF can be adapted and integrated to assist your organisation in managing third-party risks and improving its overall security posture.The NIST CSF framework can be found using this link: https://www.nist.gov/cyberframework. However, if you’re more focused on adapting an International Organisation for Standardization (ISO) framework, the ISO 27036 – Information Security for Supplier Relationships would be suitable for addressing third-party cyber-risks. This ISO standard focuses on helping organisations design their contractual agreements and overall risk management. For instance, it helps them to ensure their third-party vendors meet industry-accepted security requirements using a lifecycle process.The ISO 27036 framework can be found using this link: https://www.iso.org/standard/82905.html. Some organisations may experience some difficulties adopting these frameworks and standards. Using the common one-size fits-all approach may not always work for everyone. Therefore, organisations can consider moving towards a risk-based segmentation approach from the very beginning when creating their strategic plans (long-term plans). For instance, they can use a Tier-Based System for classifying service providers and vendors (third parties) based on their inherent risk using a data-sensitivity and criticality with impact matrix or model. Additionally, they can leverage common trust artifacts such as industry certifications like PCI DSS, SOC 2, and so on. These industry certifications provide a level of assurance. Let’s not forget, ensure your vendors upload their certifications and attestation information on your vendor management portal. And use Third-Party Risk Management (TPRM) tools to assist with automating vendor selection and identification of high-risk vendors. The following link provides Gartner’s Peer Insight for TPRM solutions and reviews: https://www.gartner.com/reviews/market/third-party-risk-management-technology-solutions. Best practices for monitoring third-partyMonitoring third-party vendors for new cyber-risks is a common challenge. While a vendor may be secure today, tomorrow they may be vulnerable. Both Information Security and Cyber Security Professionals can leverage intelligence from Security Rating Platforms (SRPs). SRPs enable organisations to monitor the external attack surface of another organisation to identify security weaknesses. Such information can help you determine whether your third party is vulnerable to various types of cyber-attacks and threats, and whether they’re working on resolving the issue or not doing anything about it.SRPs uses a rating system, which helps you classify each vendor from acceptable to unacceptable based on the intelligence from the tool. For instance, if a vendor moves into an unacceptable level or classification, then it should trigger your organisation to perform a re-assessment of that vendor.The following link provides a list of IT vendor risk management solutions by Gartner: https://www.gartner.com/reviews/market/it-vendor-risk-management-solutions. Let’s not forget Cyber Threat Intelligence (CTI) and dark-web monitoring that helps organisations to identify whether a third-party or a fourth-party was compromised and how such incidents can either directly or indirectly affect your organisation. In such instances, your organisation should have a Third-Party Incident Response Plan and Procedure that’s ready to be activated. Lastly, continuous review of vendor certification for expiration. If a vendor no longer has a valid or current industry license/certification that meets your organisation's standard and requirements, consider performing a compliance audit. Additionally, consider updating your vendor contracts to include the contractual right-to-audit. This enables your organisation’s audit team to review the security controls of a third-party to ensure they are meeting the contract requirements.As cyber-attacks and threats are increasing and becoming more sophisticated, it’s essential to take proactive steps to manage third-party risk as part of your cyber security strategy. It’s important for your organisation to stay ahead in these cyber-risks while making cyber security a shared responsibility. Lastly, organisations should consider embedding third-party risk management strategies into their governance model. ABOUT THE AUTHOR Glen Singh is the Cybersecurity Engineer at the United Independent Petroleum Marketing Company Limited (UNIPET)
