Since the inception of third-party risk management (TPRM) as a risk management discipline, the orientation and focus of activities has always been overwhelmingly external facing. Famous TPRM bulletins like OCC 2013-29 talk extensively about “outsourcing” rather than “conducting the activity in-house.” Most TPRM software widgets claim to scrape the dark reaches of the internet to analyze the risk of your third parties and their externally facing risk posture.
But what if the greatest threat to your organization was created by a third-party, and it wasn’t external?
What if the greatest threat to your organization is already sitting on your internal network and is an explicitly trusted entity, or piece of software? How does your third-party risk management program account for those types of risks?
These types of critical third-party risks are ignored by the profession at large, and we must turn the spotlight back inward to get TPRM programs back on track.
The Inattentional Blindness Effect
The inattentional blindness effect is a phenomenon of invisibility through normal operation of the human mind and limitations of our focus. It’s the failure to see something that is fully visible right in front of us because our attention is fully engaged elsewhere.
There is no better demonstration of this phenomenon than the “Invisible Gorilla Experiment.” Widely heralded as one of the best-known experiments in psychology, Christopher Chabris and Daniel Simons performed an experiment where they had test subjects watch a video with six people, three in white shirts, passing a basketball around three people in black shirts. The subjects were asked to watch the video closely and count the number of passes by the people in white shirts.
As the subjects paid close attention to the video and counting the passes, a gorilla walked through the crowd, thumped his chest and continued on.
The startling finding: half of the people who watched this video counted all the passes but completely missed the gorilla that walked directly through the picture. When asked to re-watch the video, the test subjects were shocked to learn that they were completely blind to the gorilla.
This experiment proves that humans miss a lot of what goes on around us, even when it is clearly visible right in front of us, and we don’t even know it.
Identifying the Third-Party Gorilla
Knowing, they say, is half the battle. Now that we know about the blind spots that our mind creates, we can move forward with eyes wide open.
Within the realm of third-party risk management, we must ask ourselves, what big risks are right in front of our face, but we are totally blind to?
Great third-party risk programs are built on the assumption that risk management processes are designed commensurate with the level of complexity and potential business impact that an organization faces. In other words, third parties that handle critical activities or services for an organization require more oversight and due diligence than less significant third parties.
So what makes a third-party more or less significant? Or better yet, what is considered a third-party at your organization?
Most guidance and best practices for third-party risk focus on services and functions that are performed by a vendor on their own systems and infrastructure. What about third-party software or hardware that the business relies on for critical functions, and is inherently trusted internally to operate inside your network? These types of third-party software and hardware are often given a pass or are not even considered as part of a third-party risk management program.
Most organizations have TPRM risk classification procedures focused on data. They consider the number of records shared with an external third-party, where they store the data, who gets access to it, etc. Yet third-party software, whether custom developed or commercial off-the-shelf (COTS), is rarely thought of when organizations are taking their third-party inventory.
180° Turn, Challenging Your Field of View
Any modern TPRM program must account for the use and reliance of third-party software, services or hardware internally as part of the process for TPRM risk classification.
Many vital industries (like banking and healthcare), rely on third-party software and hardware for the most mission critical of business functions. So it’s pretty shocking that third-party software, for example, is hardly given a second thought.
In the software world, there are external signals that are flashing bright red, trying to call our attention to these risks that we can’t ignore. Here are some shining examples:
SolarWinds Orion: A popular network management tool that helps operate and run the core infrastructure of thousands of enterprises. It was infiltrated and used as a conduit to carry out internal attacks across the globe.
Log4j: A ubiquitous java-based logging utility that is used in more software than we can imagine. It was mined for a zero-day exploit and used to carry out cyber-attacks on thousands of organizations.
Both examples offer plenty of reasons why we can’t ignore the risk that third-party software introduces into an environment. SolarWinds software is inherently trusted due to the operations that it performs. And so many organizations use the open-source java-based logging utility in various commercial applications that they had no idea they even had it running within their environment.
While sound third-party risk principles likely wouldn’t have stopped incidents occurring from either of these situations, they may have been successful at limiting the impact.
We Can Manage Risk, Not Eliminate It
Now that we better understand ourselves, our potential TPRM blind spots, and how the bad guys take advantage of all this, we can improve our practices and move forward.
While our job as risk managers is to lower the potential impact and severity of risky events, we cannot fully eliminate them. The best that we can do is use the information we have to continually improve. Now that we know how some of these new threats operate, we can start to ask good questions and gather information that helps us get a handle on these risks.
Here are five ideas of what you can do today to better evaluate your internal third-party risk:
Hunt and Diagnose:
Work with internal business partners and key stakeholders to identify systems internally that would present risk should they turn against you like the examples of SolarWinds and Log4j.
Read the Label:
Ask your critical third-party software providers for their Software Bill of Materials (SBOM) for the tools they provide you. An SBOM is a list of ingredients that make up software components of what you’ve purchased and operate in your network.
Identify the Open Source:
Use the SBOM method on internally-developed applications and systems. Challenge your internal development teams to create their own SBOMs and list out any third-party code components used in their creation.
Watch the Sausage Get Made:
Use tools like the Vendor Building Security in Maturity Model (vBSIMM) or Open Web Application Security Project (OWASP) Application Security Verification Standard (ASVS) to evaluate security before, during and after the build process of any critical third-party software run in-house.
Place Zero Trust:
Always verify; never trust. Even for software that operates at some of the deepest parts of your network, make sure that the way it authenticates and the accounts that it uses are always challenged and never explicitly trusted.
The Bottom Line
It’s easy to get comfortable in our usual activities and manage TPRM risk the same way, year after year. But the reality is, when we get comfortable, someone else finds a way to exploit it.
We have to be vigilant in our approach to ensure that we challenge ourselves to regularly seek and eliminate blind spots in our TPRM field of vision and continue to level-up our third-party risk programs.
And because I know you were waiting for it, here's the full video on selective attention: