Three years ago, T-Mobile customers had their sensitive personal data exposed. As you will recall, the large wireless carrier outsourced the task of processing credit applications to a third-party. When this third-party experienced (or maybe we should say Experian-ced) a serious cyber breach, fifteen million T-Mobile users were crap-out-of-luck. What happened next, however, has always seemed to me like a cleverly-arranged PR camouflage.
John Legere, T-Mobile’s brash un-CEO, blamed the whole thing on Experian. In a letter to customers, Legere referred to the incident as “Experian’s hack.” I found this odd, because every CISO knows that third-party security is their own responsibility. A later article in the New Yorker more accurately referred to the incident as the “T-Mobile/Experian hack”. (T-Mobile later offered Experian-powered identity protection as compensation.)
Anyway, I was thinking about this crazy third-party security incident while chatting this week with Fred Kneip, CEO of Denver-based CyberGRX. Fred was kind enough to take me through the underlying design and operation of the third-party cyber risk platform that his team supports commercially. He was also willing to share his insights into this important aspect of enterprise cyber security management. Here is what I learned:
"Much of the market is resource-challenged with vendor ecosystems growing faster than their resources,” explained Kneip. “This makes it tough to perform third-party cyber risk assessments and to identify cyber risk. Meanwhile, third parties are inundated with numerous assessment requests each year. Both sides need a solution that will scale with their needs while enabling them to identify, prioritize, and collaborate on their collective risks.”
He continued: “What we do at CyberGRX involves uniting third parties and their customers, thus arming both sides with dynamic data and advanced analytics. Our solution provides massive efficiencies and cost savings to both sides while enabling third parties to complete one, high-fidelity dynamic assessment - validated by Deloitte - and to then share it with multiple customers.”
Like most framework tools, the CyberGRX platform includes a questionnaire, but Kneip emphasized the layers of added intelligence and expert support built into his process. “We not only support multiple tiers of data collection, which allows for customers to share only the information required for a given engagement, but we also work with the consulting experts from Deloitte to provide a much deeper analysis of the data collected.”
Involving expert consultants to probe more deeply into collected data appealed to my cyber security instincts, but I asked Kneip whether this would result in too much work for third-parties. “The idea is to complete a proper assessment once for a third party,” Kneip said, “so that we can then support them as a data provider with many different business partners. This actually saves time and energy for everyone.”
We went through the structure of the data collection process for the CyberGRX platform, and it appeared thorough, with one hundred security controls expanding into twice as many sub-controls. The CyberGRX scoring process can be viewed as creating a “vector” of coverage percentages, which Kneip explained is a more accurate depiction of risk than a simple numeric score.
An important consideration that we discussed about the platform is the gravity of protecting access to the information being collected. Third parties going through this process are obviously subjected to questions about highly sensitive aspects of their protection methods. “Third parties own their own data,” Kneip said, “and only they can control and authorize who has access to the analytic results that our platform produces for them.”
Skeptical observers might ask – and this applies to all third-party security risk assessment platforms – why a standard NIST-based evaluation is not just done, and this is a reasonable question. It’s been my own experience, however, that much of NIST can be set aside to streamline the risk process for suppliers. Instead, a more compact set of questions and associated analytics can minimize the work and maximize the benefit.
I would bet that you – dear reader – consider third-party security risk to be one of the greatest challenges to your own career progression. So, please do yourself a favor and schedule some time to speak with Fred Kneip and his fine team at CyberGRX. I can hardly think of a topic deserving of more time and attention from enterprise security teams. It is the most likely area in which companies can become victim to data exfiltration.
And who knows . . . maybe if the infamous un-CEO of T-Mobile had taken the proper time to really dig into his own third-party security risk, then perhaps fifteen-million of his customers might have been spared a serious data breach.