On Governance is a new series of guest blog posts from corporate governance thought leaders. The series, which is curated by the Governance Center research team, is meant to serve as a way to spark discussion on some of the most important corporate governance issues.

Should you outsource information security risk management to better govern and manage third-party information security risk? 

Cybersecurity crosses all lines of business and all support functions within a business regardless of vertical industry placement.  Most business functions use an information system, digital device, or network service to produce their product or deliver and support their services.  Increasingly, third parties are being used to shape and deliver these end-to-end value propositions; outsourcing is no longer just about cost reduction.  

Almost 75 percent of respondents in Deloitte’s 2016 Third Party Governance and Risk Management Survey indicated that their third-party partners would play a highly important or critical role in their businesses, up from 60 percent in 2015. As the extended enterprise continues its expansion, third party ecosystem partners create a new and very complex information security risk environment. 

In a business environment where the weakest link in an ecosystem can jeopardize the entire community, effectively governing and managing third party risk takes on greater importance.  Complexity, business continuity, transparency and an extended attack surface are just some of the new challenges facing third-party information security risk governance and management.  When your company can be attacked through a vulnerability in a business partner’s environment, how risk is identified and mitigated takes on an exponential level of complexity.  As companies become more dependent on their partners for delivery of their entire value proposition, risk probabilities and impacts can change dramatically.      

While having a third party manage information security risk to better manage third-party information security risk may sound like a paradox, rethinking assumptions and perspectives in a volatile business and risk environment is always a best practice.

With so much at stake around information security, does it make sense to have a third party manage information security risk? No board wants to hear that their customer list or IP has been stolen as a result of a security breach, but the consensus is that a breach is more a matter of when, not if for most organizations. The financial, reputational and legal risks of these breaches play out in the daily news headlines and given the growing systemic complexity of the extended enterprise, is a third party now the best option to mitigate the overall information security risk landscape?        

The decision to outsource is no longer driven by a desire to leverage cost arbitrage.  It involves a thorough understanding of the business risks and all relevant trade-offs.   For example, a CIO of a large bank in Europe commented that he could not replicate what a managed information security service provider could do in terms of continuous monitoring and real-time views into emerging global threats and the ability to react to them.  Real-time monitoring, a rapid response capability and the ability to understand as broad of a risk environment as possible are critical value drivers in today’s information security world.  

Additional advantages and disadvantages to consider include:

Threat intelligence

Trying to establish a threat management capability is difficult for even the best organizations.  Most managed service organizations provide a threat intelligence service that correlates, evaluates and analyzes the threat landscape and provides real-time reporting to their clients.  This function is essential for a high-performing information security function because preventing attacks is always a more efficient approach than reacting to an attack or widespread breach.

Systemic Global Risk

Using a third party allows a client to leverage the provider’s customer base, threat intelligence, and correlation capability to identify attack vectors and provide the client with a valuable early warning capability. Hackers find and hack the weakest link, and they move quickly. Bad actors start somewhere across the globe, and the right third party partner can leverage their global view and have visibility into these attacks early in the attack sequence. They can then advise their clients of impending threats well in advance of a threat being made on their client’s landscape. This helps all companies and is a unique advantage that a third party can bring.

Short- and Long-Term Costs

While cost synergies can remain, the short- and long-term nature of costs and their related benefits needs to be re-examined.  Repurposing or reducing labor costs and streamlining the application landscape and costs are often early wins.  Functions such as 24-hour security operations and Security Information and Event Management (SIEM) can usually leverage a third-party vendor’s economies of scale and scope.  

A board member of a large conglomerate in the Philippines recognized that the conglomerate’s companies were struggling to attract and retain talent to operate an effective security program and needed to look to a large reliable partner to provide the right talent to make their approach sustainable.

Third-party information security vendors can usually provide cost advantages in onboarding, protecting and assessing assets during M&A. Moreover, there may also be advantages in testing the current controls and systems prior to closing the deal.  Post-acquisition bad news can have a significant impact on deal valuation as has been seen recently. 

C-Suite and Board Transparency

Near real-time monitoring and reporting is often a hallmark of third-party providers in information security.  Key metrics reflected in easy-to-consume dashboard reporting structures can greatly simplify, educate and reassure a board. Digital success starts in the boardroom, and a board that comprehends this increasingly complex environment is a key part of effectively governing it.    

Risk Reduction

Perceptions are strong that in-house security can naturally be provided that is better than what a third party can provide.  However, in the age of the rapid fire, global attack landscape, the right third-party information security partner might be the only way to adequately address the scope and speed of the global risk environment in a cost-effective manner.  This is one functional area where third parties may actually become the most viable choice because of these global issues, the expansion of the extended enterprise, their scale and their unique position in the marketplace.   

Directors can start to understand this issue by asking the following questions:

• Have we performed a third-party risk assessment, and have we prioritized the risks identified?
• How do we coordinate and work with all of our third parties to raise awareness and manage and monitor collective risk?
• What outbound risks do we present to our ecosystem partners as one of their third-party suppliers?  What are we liable for, is this insurable and how do we mitigate this risk?
• What metrics do we track in this area? 
• Have we assessed the relative risk based advantages that an information security managed services provider could bring to this issue? 

Conclusion

Cybersecurity risk is a key business issue that most boards, executives and companies are continuing to struggle with.  Protiviti’s research report Executive Perspectives on Top Risks in 2018 lists the speed of disruptions and technology innovations along with cyber threats as two of the top three risks that directors and executives are concerned with as the year begins.

Deloitte estimates that companies that excel at third party risk management outperform their peers by an additional 4 to 5 percent of return on equity. It would seem risk and return increasingly runs through third-party ecosystems.  Ironically, having a third-party manage information security risk might offer the most effective way to manage the pervasive and complex nature of third-party information security risk.  

The views presented on the Governance Center Blog are not the official views of The Conference Board or the Governance Center and are not necessarily endorsed by all members, sponsors, advisors, contributors, staff members, or others associated with The Conference Board or the Governance Center.