Third party risk management has never been easy for government. The problem is volume; there are just too many third parties to manage. And now, due to COVID, the employees of those third parties aren’t even on the same network anymore. They’re all working from home, which further complicates matters, because humans are the primary attack vector for any bad actors. So how can they make any progress?
“This is really where technology comes into play,” said Chris Murphey, senior product manager at Galvanize. “The only scalable way to truly cover and monitor all the third parties that you outsource to—or rely on to provide your services outward—is to scale with technology. We find that it makes people around 40% to 50% more efficient in being able to cover that ground. So you’ve got to apply some sort of technology to the people and processes.”
But the adoption of technology is not exactly something government does easily, either. Agencies essentially have two options. First, they could have software purpose-built for them, own it, and plan for a high level of internal management. Or second, they could buy something off the shelf that meets compliance requirements through FedRAMP or certified Impact Level-5 for Cloud based software.
“It has become a boiling point where it’s no longer an option to just continue to do the same thing,” said Albert Nieves, managing director, Federal Government Practice at Galvanize. “A lot of agencies are recognizing this, and many are adopting different kinds of technology. It’ll be interesting to see how that evolves over the next six months to one year. And if it doesn’t evolve there will be some serious challenges for those agenices.”
While the pandemic has not yet instigated a change in how agencies are handling third party risk management, it’s definitely revealed the vulnerability. That’s got industry working to get those authorizations and make it into the marketplace as quickly as possible. Agencies, meanwhile, are beginning to consider just what they might want from a partner in the software-as-a-service space.
Murphey said there are a few things agencies might want to look for from a partnership like this:
A vendor should be there for the long term.
It should have experience in the field.
It should recognize that every agency has unique requirements, and that copy-and-paste solutions won’t work.
This flexibility is key.
“We actually did something really creative in the last 12 months,” Murphey said. “We took a piece of technology that we consider legacy, because it’s deployed in an on premise manner, and we brought it back into life to reoffer it to one of our government agencies, because a portion of what they needed to do needed to live on their premises. While we’re not really supporting on-premises type deployments — the future is cloud and being nimble — we were able to hybrid that into what our primary offering is. So I think we’re coming up with creative ways to help our agencies as they’re navigating that transition in a digital transformation.”
Federal vendors must meet a certain level of readiness from technical, privacy and security perspectives. That becomes even more important as cyber insurance becomes more common.
“There’s a natural dovetail from third party risk into the exposures that happen that bring you into a breach scenario, then post-event and then a claim scenario with your insurer. Cyber insurance has been really paying out at a high clip,” Murphey said. “We’re seeing a very strong need to manage third parties to a deeper and broader level. You’re going to be expected to do that because of the pressures on your exposures and your threat of attack factors for your payouts.”
Ransomware is a major threat that’s been increasingly showing up through third parties according to Murphey. Not only do federal agencies have to be careful about avoiding it, but third parties have to be careful about how they handle it. If a vendor is considering paying out on a ransomware attack, they may need to research the agency they work for and determine whether the ransomware attacker is an excluded party. If so, the vendor could actually lose their contract due to conducting business with the wrong people.
To avoid this kind of situation, third party risk management software should incorporate automation and machine learning to help agencies make data-driven decisions and more reliably mitigate their risk.
“How do we create a more scalable approach so that government can do more and be more nimble?” Nieves asked. “How do you do things faster, better, and get deeper insights into data? It’s really leaning on that data, leaning on the workflows and being able to drive the organization forward to evolve it.”