Page 64 - Cyber Defense eMagazine Special RSA Conference Annual Edition for 2022
P. 64
It’s one thing to monitor the cyber control activity — and threats — for one organization. Outsourcing
drives cyber security monitoring to a new level, because suddenly it’s not just your own organization
you’re worried about. You have to be aware of the most critical threats for your third-party suppliers and
service providers as well because compromises there may affect you. A large company might have
40,000 suppliers, or more. Monitoring all of that is a tall order.
Enter Continuous Monitoring
Some third parties are directly connected to corporate networks, and some are not, but all have increased
cyber security exposures. Security Rating Services (SRS) have arisen recently. Their solutions, usually
provided as Software-as-a-Service (SAAS), continually watch over their own organization’s cyber
hygiene as well as a host of third parties and potential third parties — examining events and vulnerabilities
for which they provide a rating. The offerings and ratings of SRS providers are similar, but they vary in
terminology, price and pricing models, the events they monitor, their alignment with external security
frameworks and standards, in customer interface, data sources, methods for gathering and reporting
cybersecurity control weaknesses information, and in many other ways. Basically, they’re all different.
That diversity gives you a rich variety of choices but makes it difficult to compare services and ensure
that cyber hygiene monitoring aligns with your control requirements.
There is another and perhaps more subtle aspect to all this difference between organizations and the
providers they use. Every IT and cyber security manager must communicate upwards in the organization,
eventually all the way to the board of directors. Clarity in that communication affects funding, staffing,
and equipment as well as security per se.
What was needed was a lingua franca — a common language that describes the world of monitored
cyber threats. This would allow organizations to:
• Achieve a better understanding of how events monitored by SRS align with the
outsourcer’s control requirements, and vice versa.
• Compare the services offered by several SRS providers.
• More easily communicate any issues identified by the SRS and develop mitigation
approaches to correct them.
• Clearly communicate across the third-party risk management ecosystem, which helps
boards and leadership teams evaluate cyber threats to the business and align
appropriate resources. It is important to have a common terminology, especially when
communicating to non-technical people. In an environment with global supply chains,
this clear communication becomes even more important.
The lack of such a lingua franca — a consistent taxonomy of cybersecurity threats — has posed problems
for organizations, third parties, and SRS providers.
64