Let me start with a simple caveat: this will not be another blog or rant that seeks to bash Equifax, their executives, or their security team. I believe there is a certain degree of professional courtesy that people should be afforded in our industry and that includes not lambasting them in times of crisis.
Instead, I was thinking about this situation in the context of vendor risk management. The focus on managing risk associated with vendors or 3rd/4th parties continues to grow, as do the number of vendors who will offer you a “solution” to manage this risk.
As Senior Director of Security at Cylance, I wear both hats in this field: I am accountable to our teams and our customers inquiries about our company’s security policies as they manage their vendor risk. Likewise, I also own the processes by which Cylance assesses risk posed by our vendors, and a timely call from a sales person from a vendor risk management company painted the current Equifax incident in a new light for me.
As I consider the different vendor risk management solutions available in the marketplace, they all seem to offer some combination of the following:
- Management and execution of an assessment questionnaire of your design for your organization
- Creation and execution of their own assessment methodology
- Factoring Open Source Intelligence about the company into the assessment
- Conducting scans of the vendor’s Internet presence
- Delivering a score resulting from the assessment process
- Delivering a portfolio of pre-existing assessments that can be accessed for vendors already in their system
- Management of the portfolio of risk that is associated with your vendors
I am left wondering how each of these processes would actually have fared with regard to the Equifax situation. As recently attested to by Equifax’s former CEO, the breach was the result of a human error where someone failed to adhere to a set process. To me, this means that any form of self-attestation or audit process most likely would not have detected the issues that left them vulnerable.
A quick search on Equifax reveals they do in fact have a SOC 2 Type II, as well as several other industry best practice certifications. Any vendor risk management approach that relies on adherence to industry certifications or best practices would most likely have failed in this case.
Passive scanning of their Internet presence may have found it, but that requires you to act upon notification. How would you take action to engage your vendor at this point, and what action does your contract with the vendor allow you to take? I am not confident even with notification that any company would have been able to mitigate these specific risks on their own.
Most companies follow some form of impact analysis which would need to be assessed against the risk. A question left for the reader: would your internal impact analysis of the unpatched flaw outweighed the impact of severing your reliance upon Equifax? Without knowing about the breach, would such a recommendation stand up to business and executive muster?
The goal of this thought exercises was not to judge vendor management solutions too harshly, or to act as an endorsement of any solution. It is the realization that most of these solutions would fail to bring this kind of risk to light - and if it did, would it provide an actionable recourse?
This also calls into question the value we as an industry place on certifications such as the SOC 2 Type II, and other “snapshot” instantiations of adherence to best practices. They can set the bar for some bare minimum demonstration of adherence to good practices, but their value in assessing risk may be left wanting.
I fully expect that on paper and through evidence gathered, Equifax probably had a perfectly acceptable vulnerability management process. I imagine now they will doubling down on that process to eliminate any possible single points of (human) failure.
But will that restore trust in them? Does a company like Equifax now not only need to seek to regain the trust of their customers and business partners, but now seek absolution with the cadre of vendor risk management vendors that already exist?
Will the industry pivot to focus more on vulnerability management processes in their vendor risk assessments, and we will soon see the questionnaires refined to address this issue?
It’s a Band-Aid approach to a bigger issue at best – how to have a sustained trust in your vendors. It also leaves me wondering if the approach to vendor risk management will actually provide the anticipated management of this risk that we as an industry assume it will, or if it is time to rethink the value of vendor risk management as the industry performs it entirely.
Thoughts?