Rethinking Service Provider Risk: A Wake-Up Call for CISOs
As organizations increasingly rely on services providers to manage critical systems and security operations, the risk of exposure also grows. According to Imprivata and Ponemon's report, nearly half (47%) of organizations reported a cyberattack or data breach involving a third-party accessing their network in the 12 months to mid-2025.
In this article, we'll delve into the complexities of service provider risk assessment and mitigation strategies for CISOs. We'll explore why vetting services providers is growing more complex, the importance of building relationships, and how AI adds new risks and ways to assess them.
Why Vetting Services Providers Is Growing More Complex
Managed services providers (MSP) help augment internal resources, achieve cost savings, provide round-the-clock coverage, and fill specialist gaps. However, with the increasing reliance on MSPs, comprehensive vetting processes are essential.
Christina Cruz, director of cybersecurity at Advance, describes a thorough process that includes industry frameworks, GRC checks, privacy, data protection, incident response, business continuity, and disaster recovery plans. This extensive framework is crucial in identifying potential risks and ensuring the service provider meets the organization's security standards.
Should Risk Assessment Be About Questionnaires or Conversation?
David Stockdale, director of cybersecurity at the University of Queensland (UQ), emphasizes the importance of building relationships with services providers. He believes that risk evaluation should be about conversation rather than questionnaires. "You build up those relationships first, and then the transactional piece comes after that."
Fred Thiele, Interactive CISO, agrees that open dialogue is essential in understanding a provider's security posture. He encourages CISOs to use the vetting process to open a dialogue about shared risk and ongoing improvement.
Questions That Can Guide CISOs in the Vetting Process
Thiele suggests asking questions like:
- Leadership and accountability: Who is accountable for cybersecurity, where do they report, and how often to the executive or board?
- Framework and standards for cybersecurity policy: Do you align with recognized frameworks and how do you validate your alignment? Have you performed a SOC audit and if so, to what level?
- Risk management: How do you identify, assess, and prioritize cyber risks in your environment?
- Data protection: How do you protect customer data at rest, in transit, and in use?
These questions can help guide CISOs in the vetting process, ensuring that services providers meet the organization's security standards.
How Far is Too Far for Transparency?
What happens when organizations want access to sensitive information like pen test results or vulnerability reports? Negotiations typically happen with an NDA in place, but there are still limits. For Thiele, a request to view the enterprise risk register may be a 'no' but a request to review pen test results at a high level, the answer is more likely to be a 'yes'.
AI Adds Risk — and New Ways to Assess It
AI is another area where organizations are increasingly engaging with services providers. On the one hand, it has the potential to automate parts of the process, save time, and identify gaps or other issues. At the same time, AI is spreading into more tools and services, which are expanding the risk surface for organizations.
Cruz says a steering committee handles big-picture oversight and a working group develops recommendations and more of the hands-on execution. "Depending on the recommendations coming out of that group, we update specific areas in our program to incorporate the requirements needed to govern the use of AI and also protect the organization's data."
Thiele agrees that generative AI can assist organizations to research and verify prospective partners. With Gen AI, you can surface a lot of what's already in the public domain — certifications, breach disclosures, even employee profiles — and use that to check whether what you're being told actually holds up.
In conclusion, CISOs must rethink service provider risk by adopting a comprehensive approach that includes building relationships, open dialogue, and rigorous vetting processes. By asking the right questions, leveraging AI, and prioritizing transparency, organizations can minimize the risks associated with services providers and ensure the security of their data and systems.
This post was generated automatically. Please review before publishing.