{"id":5556,"date":"2025-10-28T07:00:00","date_gmt":"2025-10-28T07:00:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=5556"},"modified":"2025-10-28T07:00:00","modified_gmt":"2025-10-28T07:00:00","slug":"do-cisos-need-to-rethink-service-provider-risk","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=5556","title":{"rendered":"Do CISOs need to rethink service provider risk?"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Nearly half (47%) of organizations reported a cyberattack or data breach involving a third-party accessing their network in the 12 months to mid-2025, according to Imprivata and Ponemon report<\/a>. As organizations increasingly rely on services providers to help manage critical systems and security operations \u2013 from cloud infrastructure and data platforms to managed security and AI services \u2013 the risk of exposure also grows.<\/p>\n

Security leaders face mounting pressure from boards to provide assurance about third-party risks<\/a>, while services provider vetting processes are becoming more onerous \u2014 a growing burden for both CISOs and their providers. At the same time, AI is becoming integrated into more business systems and processes, opening new risks.<\/p>\n

CISOs may be forced to rethink their vetting processes with partners to maintain a focus on risk reduction while treating partnerships as a shared responsibility.<\/p>\n

Why vetting services providers is growing more complex<\/h2>\n

Managed services providers (MSP) help augment internal resources, achieve cost savings, provide round-the-clock coverage and fill specialist gaps. More than half of organizations (52%) turn to MSPs when their number of security tools becomes unmanageable and 51% rely on them to evolve their cybersecurity strategy as they grow, according to Barracuda\u2019s<\/a> MSP Customer Insight Report 2025.<\/p>\n

Naturally, such critical reliance requires comprehensive vetting processes.<\/p>\n

Christina Cruz, director of cybersecurity at media investment company Advance, describes a comprehensive process that includes industry frameworks, GRC checks, privacy, data protection, incident response, business continuity and disaster recovery plans. It must identify who\u2019s in the leadership, whether there\u2019s a dedicated cybersecurity function, risk assessments, security controls, software development lifecycle, vulnerability management, resiliency, service-level agreements and other contractual obligations from the service provider.<\/p>\n

\u201cIt\u2019s a very extensive framework we use \u2014 and those are only the high-level categories,\u201d she says.<\/p>\n

The services outsourced are also becoming more complex, from security operation centers to threat hunting and incident response<\/a>. There\u2019s now also data management that stretches from designing and architecting systems through to day-to-day operations.<\/p>\n

\u201cThis can include data warehousing, monitoring and reporting, security metrics and providing tuning for applications,\u201d she says.<\/p>\n

A recent project involved a six-month timeline for consulting, design, and managing a Snowflake environment, which included risk assessments, legal negotiations, project management, and moving towards a steady state. \u201cPerforming and evaluating a risk assessment and validating they can meet the technical requirements, going through the contractual agreement, and moving into the implementation phase and steady state was a very big lift,\u201d she tells CSO.<\/p>\n

Should risk assessment be about questionnaires or conversation?<\/h2>\n

David Stockdale, director of cybersecurity at the University of Queensland (UQ), needs services providers to understand the make-up and complexity of a higher education institution.<\/p>\n

\u201cBecause of the size and research intensity of the university, we tend to build a lot in-house. Where we do use service providers, it\u2019s usually for specific layers on top of our own services,\u201d he says. \u201cResearchers have different requirements to corporate or teaching units, so a cookie-cutter approach doesn\u2019t work. The providers we work with have to understand that and be willing to adapt.\u201d<\/p>\n

Risk evaluation is embedded across UQ\u2019s procurement and governance processes for all third parties. The process goes through multiple layers of governance. \u201cRisk evaluations for third parties are consolidated up into the cyber risks, which are then consolidated up into IT risks, and then into university-wide risks. Every three months we review the whole of UQ\u2019s risk register, with a summary going to the board quarterly.\u201d<\/p>\n

When looking to engage a services provider, his vetting process starts with building relationships first and then working towards a formal partnership and delivery of services. He believes dialogue helps establish trust and transparency and underpin the partnership approach.<\/p>\n

\u201cA lot of that is ironed out in that really undocumented process. You build up those relationships first, and then the transactional piece comes after that.\u201d<\/p>\n

Stockdale says the evaluation cycle must stay flexible to allow for emerging risks. He stresses that effective vetting depends on realism and partnership. \u201cI\u2019m a great believer in putting yourself in the other person\u2019s shoes,\u201d he says. \u201cIf you were in their position, would you share that information or allow that audit? Probably not. So, it\u2019s about building a relationship where there\u2019s trust, openness, and a lot more to-ing and fro-ing of information.\u201d<\/p>\n

From the vendor\u2019s side, partnership is equally critical and guides formal assurance and shared responsibility around managing risk. Fred Thiele, Interactive CISO, says that assurance depends on more than just the data that\u2019s gathered in questionnaires. It needs to include the engagement that follows. He encourages CISOs to use the vetting process to open a dialogue about shared risk and ongoing improvement, not just tick boxes.<\/p>\n

\u201cIf your questions stop once the form is complete, you\u2019ve missed the chance to understand how a partner really thinks about security,\u201d Thiele says. \u201cYou learn a lot more from how they explain their risk decisions than from a yes\/no tick box.\u201d<\/p>\n

Transparency and collaboration are at the heart of stronger partnerships. \u201cYou can\u2019t outsource accountability, but you can become mature in how you manage shared responsibility,\u201d Thiele says.<\/p>\n

Questions that can guide CISOs in the vetting process<\/h2>\n

Thiele believes many enterprises have built elaborate risk frameworks that satisfy auditing but struggle to turn them into meaningful assurance.<\/p>\n

He cautions about a growing \u201ccottage industry\u201d of third-party risk tools and compliance templates that create paperwork rather than partnership. \u201cThey drive behavioral change over time, but how much they actually improve posture is questionable.\u201d<\/p>\n

In his experience, vetting practices reveal as much about an organization\u2019s maturity as they do about a provider\u2019s security posture. Thiele\u2019s list of suggested questions will guide CISOs to get a handle on service provider security in the vetting stage:<\/p>\n

Leadership and accountability: Who is accountable for cybersecurity, where do they report, and how often to the executive or board?<\/p>\n

Framework and standards for cybersecurity policy: Do you align with recognized frameworks and how do you validate your alignment? Have you performed a SOC audit and if so, to what level?<\/p>\n

Risk management: How do you identify, assess, and prioritize cyber risks in your environment?<\/p>\n

Data protection: How do you protect customer data at rest, in transit, and in use?<\/p>\n

Access control: How do you ensure only authorized people can access your systems and customer data?<\/p>\n

Incident response: What is your process for a cyber incident that impacts customers and how quickly do you notify impacted parties?<\/p>\n

Third-party risk: How do you assess the security of your own suppliers and partners?<\/p>\n

Testing and assurance: Do you regularly test your security posture? Please provide y\/n for the following and share high-level results if possible: penetration testing, crisis management exercises, IT general controls, SOC1\/SOC2.<\/p>\n

Training: What training regime is in place for ensuring your employees stay current on cyber threats and how to prevent them?<\/p>\n

Continuous improvement: Biggest security improvement in the past 12 months and what\u2019s planned for the next 12?<\/p>\n

\u201cI really like the first, second, and last because they show whether the leadership is engaged, the frameworks are real, and the organization is actually improving,\u201d Thiele says.<\/p>\n

How far is too far for transparency?<\/h2>\n

What happens when organizations want access to sensitive information such as pen test results or vulnerability reports? Negotiations typically happen with an NDA in place, but there are still limits. Transparency and trust can sometimes take negotiation from both sides.<\/p>\n

For Thiele, a request to view the enterprise risk register may be a \u2018no\u2019 but a request to review pen test results at a high level, the answer is more likely to be a \u2018yes\u2019. \u201cWe\u2019re happy to give you a summary, but not the detailed findings. It\u2019s not that we\u2019re hiding anything \u2014 it\u2019s that the less detail that\u2019s out there, the better,\u201d Thiele tells CSO.<\/p>\n

With requests for reports and completing detailed assessments with 200+ questions, the contract needs to warrant the time and effort to fulfil the requirements. \u201cWe\u2019ve started to put bounds around it,\u201d he says. \u201cIf it\u2019s a multimillion-dollar engagement, sure. But if it\u2019s small, we\u2019ll point them to our online portal instead.\u201d<\/p>\n

In Stockdale\u2019s case, after being given assurances and naively accepting them, he now requests solid evidence. In practice, that means as part of due diligence, UQ\u2019s cybersecurity team now prefers standards-based assurance. In the past, they\u2019ve asked for pen test results and sometimes been refused. \u201cSo we tend to go for that more standards-based approach \u2014 ISO 27001, SOC 2 \u2014 as part of our third-party risk assessment.\u201d<\/p>\n

AI adds risk \u2014 and new ways to assess it<\/h2>\n

AI is another area where organizations are increasingly engaging with services providers and a paradox when it comes to risk assessments. On the one hand, it has the potential to automate parts of the process, save time and identify gaps or other issues. At the same time, AI is spreading into more tools and services, which are expanding the risk surface for organizations. Security teams are having to adapt, and quickly, to take account of generative AI.<\/p>\n

\u201cWe\u2019re now very focused on evaluating any potential partner for the use of generative AI and it\u2019s a new category that\u2019s been added to our evaluation,\u201d Cruz says.<\/p>\n

With AI, Cruz has started to monitor vendors acquiring ISO 42001 certification for AI governance. \u201cIt\u2019s a trend I\u2019m seeing in some of the work that we\u2019re doing,\u201d she says.<\/p>\n

Cruz says a steering committee handles big-picture oversight and a working group develops recommendations and more of the hands-on execution. \u201cDepending on the recommendations coming out of that group, we update specific areas in our program to incorporate the requirements needed to govern the use of AI and also protect the organization\u2019s data. The important point is that it takes a cross-functional group within an organization to build out what\u2019s needed and what should be evaluated and reported on,\u201d Cruz adds.<\/p>\n

Thiele says generative AI can assist organisations to research and verify prospective partners. \u201cWith Gen AI, you can surface a lot of what\u2019s already in the public domain \u2014 certifications, breach disclosures, even employee profiles \u2014 and use that to check whether what you\u2019re being told actually holds up,\u201d he says.<\/p>\n

The same technology that creates risk can also improve visibility, helping CISOs cut through generic assurances and spot inconsistencies before contracts are signed. \u201cIt\u2019s there to enhance the conversation, not replace it,\u201d he adds.<\/p>\n\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Nearly half (47%) of organizations reported a cyberattack or data breach involving a third-party accessing their network in the 12 months to mid-2025, according to Imprivata and Ponemon report. As organizations increasingly rely on services providers to help manage critical systems and security operations \u2013 from cloud infrastructure and data platforms to managed security and […]<\/p>\n","protected":false},"author":0,"featured_media":5557,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-5556","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/5556"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=5556"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/5556\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/5557"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=5556"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=5556"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=5556"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}