MY TAKE: How digital technology and the rising gig economy are exacerbating third-party risks

By Byron V. Acohido

Accounting for third-party risks is now mandated by regulations — with teeth.

Related: Free ‘VRMM’ tool measures third-party exposure

Just take a look at Europe’s GDPR, NYDFS’s cybersecurity requirements or even California’s newly minted Consumer Privacy Act.

What does this mean for company decision makers, going forward, especially as digital transformation and expansion of the gig economy deepens their reliance on subcontractors?

I had the chance at RSA 2019 to discuss that question with Catherine Allen, chairman and CEO of the Santa Fe Group, and Mike Jordan, senior director of Santa Fe’s Shared Assessments program.

Allen is a widely respected thought leader on this topic, having launched Shared Assessments in 2005 as an intel-sharing and training consortium focused on third-party risks. And Jordan has had a hands-on role working third-party risk issues for more than a decade.

To hear the full interview, please give the accompanying podcast a listen. Here are a few key takeaways.

Addressing third-parties

Allen founded The Santa Fe Group in 1995 and established it as a leading consultancy, specializing on emerging technologies. With subcontractors playing a rising role and third party risk covering so many complex fields of expertise, six big banks and the Big Four accounting/consulting firms tasked her with coming up with a standardized approach for assessing third party vendor risk.

What emerged was a quasi-trade association – Shared Assessments. The founding participants developed assessment regimes and tools, all having to do with measuring and assessing, essentially, third-party risks. It was a natural step to expand and evolve these protocols and tools, and to invite companies from other sectors to participate. Collaborating in advance on what’s important in third party risk lets organizations and their vendors come to a faster agreement on what to do about those risks. That out of the way, business can proceed with less risk.

Shared Assessments has since grown to over 280 corporate members; volunteers participate on working groups focused on everything from continuous monitoring to OT and IT issues stemming from outsourcing. Beyond their membership, hundreds more organizations purchase their tools, put their employees through their CTPRP and CTPRA certifications, and use their content through vendor risk management software.


“The idea was to be able to have a standardized approach to assessing third-party vendors,” Allen told me. “We do white papers and thought leadership at conferences. It’s membership and cross-industry driven.”

In an environment where a heating and ventilation subcontractor can pose an existential risk to a billion dollar retail chain – as infamously happened to Target – just knowing where to start assessing third party risk can be a challenge for any organization, Jordan told me.

“One of the biggest struggles is just understanding how big the problem is,” he said. “If you’re talking about tens of thousands of potential vendors that could present a risk to you.”

Keys to the kingdom


Getting baseline information on existing vendors is a good place to start, along with vetting new vendors as they come in. “By getting organizations together and having conversations about what is needed in order to secure an environment, then you can really start to understand what’s a reasonable posture to take around some of the issues that that come that come up,” Jordan said. “And it’s not a static thing. The issues are changing all the time.”

Allen uses a broad definition for what constitutes a third party supplier. “Outsourcing can be viewed as your legal counsel, or your advertising agency, or anyone who holds or touches personal information or intellectual capital,” Allen said. “You also have different perspectives; you’ve got privacy concerns, security concerns, business continuity concerns.”

The Shared Assessments program, she said, aims to supply tools and best practices to “really look at where industries need to go from a third-party risk perspective.”

Jordan observed that the need for continuous monitoring and proactive managing of third-parties has never been greater.

“From an IT perspective, the digitization of a lot of business processes has really exponentially increased the need for third-party risk management,” Jordan said. “Now there’s so much concentration into the cloud that you really need to have a fantastic level of understanding and assurance of the of the vendors that you’re dealing with because, frankly, they have the keys to the kingdom.”

Escalating exposures

I asked Allen what lies ahead, and she came up with these notions:

Machine learning and AI. They’re, at once, a blessing and a bane, she said. Automation can help continuously monitor vendor touches, at scale, and detect system anomalies. On the other hand, establishing baselines in a dynamic, fast-changing environment is likely to be a huge challenge. “AI offers opportunities, but also problems in terms of trying to assess a particular device or a particular software program,” Allen observed.

Expansion of the gig economy. By 2030, 50 percent of employees are expected to be contract workers, Allen noted. Corporations covet the cost savings. But they may not be fully prepared for the complexities – and the fresh exposures. This is likely to result from breaking work units down into manifold engagements divvied out to myriad individual contractors.

•IOT ignorance. Most corporations today lack a cogent grasp of what devices are connected to their networks. Yet, subcontractors, moving forward, will engage from smart buildings and infrastructure increasingly reliant on IoT systems. “Those can be hacked and present ways to come into a system,” Allen told me.

OT and IT convergence. The operations and tech sides of the house will continue to merge. “On the operating side, whether it’s manufacturing or energy generation, or whatever, those folks are not security experts and they don’t have a connection with IT security people.” Hackers are already moving to take advantage. It remains to be seen how this exposure will be mitigated.

Quantum computing. We’re getting closer to solving complex problems far beyond the capacity of classical computers to solve. “Within the next five years we may have quantum computing. And once you have that, then you have the ability to reverse algorithms and unlock encryption. And so that’s going to result in another security concern and risk factor,” Allen noted.

I’m glad good people are aware of these complex issues and driving for a consensus to resolve. Clearly third-party risks aren’t going away any time soon — and are likely to escalate. Innovation has to keep pace. Talk more soon.


Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.


Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone