Assuring that third parties with access to systems and/or information do not pose a risk to business is a major pain for most organizations, but there are ways to assess the level of cybersecurity that a vendor provides. According to the Organisation for Economic Cooperation and Development (OECD), "significant information asymmetries often prevent end-users, in particular mainstream users such as SMEs [small- and medium-sized enterprises] and consumers, to make informed decisions about the products they purchase."1 This is a clear example of a moral hazard, an economic phenomenon defined by US Economist and The New York Times Columnist Paul Krugman in 2008 as "[A]ny situation in which one person makes the decision about how much risk to take, while someone else bears the cost if things go badly."2 In my opinion, this is what happens to many users of third-party services. They are unable to make informed decisions about risk because although they know what its potential impact may be, they cannot determine whether the risk will be realized without information about the security controls that have been implemented by the service provider.
Users of third-party services…are unable to make informed decisions about risk because although they know what its potential impact may be, they cannot determine whether the risk will be realized.
So, if one wants to make better decisions about risk when dealing with third-party services, they must address the information asymmetry that OECD identifies as the source of the problem. The best way to tackle this issue is transparency, particularly with regard to the only piece of information that is missing: Which security controls have been implemented by the service provider.
There are 5 mechanisms that can help contend with this issue:
- Questionnaires—Are easy to send, but can be difficult to master. They require significant administrative efforts and the information gathered may be less reliable (e.g., the Standardized Information Gathering [SIG] questionnaire)
- Audits—Provide highly accurate assessments of security posture, but can be costly to implement. Additionally, reusing results for different customers can pose challenges, as the audit report includes the auditor’s opinion of the compliance of control objectives but typically leaves out highly detailed information about controls definitions (e.g., System and Organization Controls [SOC] 2 reports). This requires customers to read reports in detail and analyze all conclusions to thoroughly understand a service provider’s degree of cybersecurity. Another important detail is that because the report refers to a specific period of time, customers must implement some mechanism to ensure that the conclusions of the report are current.
- Certifications—Include labelling that simplifies communication for the service provider. However, verification requirements are specific to certain use cases, meaning that what is verified may or may not be relevant to the customer (i.e., requirements may be more or less advanced than what is needed, as the level of security is related to the level of risk or impact that an incident could pose to the customer) (e.g., Payment Card Industry Data Security Standard [PCI-DSS], International Organization for Standardization/International Electrotechnical Commission [ISO/IEC] 27001). Another factor to consider is the scope of the certification and assurance frameworks (e.g., a management system certification is quite different than a product certification framework).
- External ratings—Are easy to implement because customers can simply pay to learn the ratings of their service providers. The main problem is that the information gathered is partial in that only certain issues can be observed without authorization from the vendor, thus, the conclusion provided is biased. Typically, a number between 0 and 1000 is used to assess a vendor’s security posture; this rating is periodically updated automatically (i.e., continuously), so customers can observe both the current rating and how it has evolved since previous ratings.
- Improved ratings—Are similar to external, or continuously updated, ratings but evaluate the cybersecurity capacities of each of the provider’s offered services, with 1 rating provided per service.3 A label is given that the provider can use to show what security controls have been implemented. Another difference between improved ratings and external ratings is that the criteria used to calculate the rating are public and transparent. These ratings typically provide levels based on categories (e.g., A+, A, B) rather than numbers (e.g., Pinakes).
To find out more information about the security level of third-party service providers, consider improved ratings. These ratings provide a higher level of transparency and comprehensive cybersecurity evaluations, and are updated continuously, allowing customers to clearly understand the security controls implemented by their vendors.
Endnotes
1 Organisation for Economic Cooperation and Development (OECD), Understanding the Digital Security of Products: An In-Depth Analysis, OECD Publishing, France, 2021
2 Krugman, P.; The Return of Depression Economics and the Crisis of 2008, W.W. Norton & Company, USA, 2008
3 Leet Security, Pinakes Audit and Certification
Antonio Ramos
Is the founder and chief executive officer (CEO) of LEET Security, a cybersecurity rating agency, and has been a member of ISACA’s Madrid (Spain) Chapter Board since 2010. He is also a member of the Spanish Forum for National Cybersecurity and the Stakeholder Cybersecurity Certification Group (SCCG), assessing the European Commission’s implementation of the EU Cybersecurity Act.