Missing Third Parties in IT Operations

I believe that a discussion of “third party risk” is useful in the context of privacy and security in electronic commerce and social media. To fully understand the debate, it is good to look into the current ideas about “third party risk” in so far as these appear in the Security practice.

IT manuals usually describe how the Security of an organisation can be put at risk by third parties (*), for example technology vendors and service providers. Under the term of “third party risk management” IT specialists understand those processes that control third parties to “reduce” the associated risk.

In this context, the conventional focus is on “understanding” how third parties may affect the organisation, and enabling it to set rules and compliance targets so that the third parties know what is expected from them. As the conventional approach goes, not having such oversight processes would count against the “first party” organisation as a failure to manage its Security position.

In the Financial Sector, for example, third parties are institutions performing functions on behalf of the financial operator (the “first party”), including those providing access to products and services outside of the financial institution. Governments require “third party risk” monitoring and assessment of their financial condition, the adequacy and adherence to policies and controls, regulatory compliance, etc.

In comparison, in the IT industry we see a peculiar definition of third party risk, superficially similar to that of the Financial Sector but unique in its interpretation.

While in the Financial Sector third party risk is the risk “of” the third party, for example the fact that the third party may have a problematic financial position, and risk is rooted in the third party organisation itself, in the IT industry the “third party” is seen as a “source” of risk, and listed at a par with other “risks” like “unauthorised access” and “data theft.”

Consequently, in the IT world, the management of such risks becomes something akin to “vendor management” and similar to managing any external organisations whose operation may affect the IT services of the first party.

There is a particular ambiguity in seeing threats that arise from lack of security policies and processes on the side of suppliers and service providers, as well as from the lack of oversight and control over those third parties. Indeed, there is a shift from the intrinsic risk arising from engaging those external services (as it is from adopting the technologies provided by those external services) to the risk of “not having” some form of oversight of those services.

I noticed this shift of meaning when observing that IT risk catalogues list “third party risk” alongside “cloud computing risk” and similar factors. These listings are problematic, because we either see third party risk as rooted in third party operations themselves (including the technologies they operate) or as risk arising from the first party not having processes or rules to oversee and control other organisations.

My contention if that having or not having organisational processes to oversee or manage other parties in IT operations is an assurance problem, and not a risk-management problem, simply because other parties´ intrinsic risk level is not inherited by the first party as if it were a substance that moves from one organisation to the other.

In any case “third party risk” is not and should not be seen in the light of “managing the third party” and should not become some form of “vendor management,” but must instead be seen as an information assurance process, i.e. a management information process over the status of third party contracts and contract execution.

Risks associated with third party service adoption (including Cloud computing, outsourcing and internet technologies) are intrinsic risks that depend on management decisions to adopt those services and technologies. Hence, the range of those risks actually depends on the range of the assurance processes put around them. There are no pre-existing risks for the enterprise prior to the adoption of those services and solutions.

Nevertheless, too frequently IT departments classify these risks as if these could be measured outside of an assurance process, for example as if something like “Cloud Computing Risk” existed at all, alongside “Insider Mishandling,” “Unauthorised Access” and other potential sources of loss. Starting from that dubious arrangement, IT departments proceed to “estimate” risks, cataloguing some as “likely,” others as “very likely” and others as “rare.”

If we default to the typical IT approach, we will fail to see that third party risk can have a completely different definition, which is not rare in other industries, for example in Aviation, where it means instead the risk incurred by clients, users, passengers and individuals and society in general, i.e. the parties who can be affected by failure or accident caused by business operations. In the Air Transportation Industry third party risk is usually described in terms of two concepts: Individual Risk and Societal Risk, where “Individual Risk” is the annual risk of death or serious injury to which specific individuals are exposed.

Comparatively, is it not the case that while adopting a peculiar definition of third party risk, IT programmes are unable to understand and make provisions for damages to their clients, consumers and users derived from a security breach? In the same way, supplier and partner operations have intrinsic risk, is it not the case that our operations are also an intrinsic risk for them?

It is very difficult to find a comprehensive third party risk concept in the IT sector, one that included the users and partners in its scope. Perhaps the closest we come to this type of understanding is when we discuss “data protection and privacy” but even then this is not seen as a responsibility towards third parties, but as “regulatory compliance” problem. Conceptually then, many IT risk managers operate in a vacuum in respect to the users and consumers of their services, and too many assume as a default that it is them (the IT operators) who “own” the data of their users and those organisations who collaborate with them.

This is the case also in Europe, although in the majority of countries there constitutions and laws establish that the individual person owns personal information over and above the data processor or IT operator. Equally so, it is partners and collaborating entities who have legal responsibility over the data they collect even if we (the “first party”) process the data and use it for business purposes.

We are therefore in a situation where, outside of the IT industry, generally, risk is something you take, and assurance is something you give, while in the IT world, risk is something you “avoid” and assurance is something that you don´t know about. It is always “others” (e.g. third parties or users) who are sources of risk and threats, and we never consider our operations as a threat for anybody.

This shows the immaturity of the IT market, the lingering novelty and the ideological allure of “information technology;” but this is also a situation which cannot last forever and needs to be addressed by recognising that besides the partners and suppliers of the organisation, there are other “third parties” in IT operations and business models, the consumers and users, the partners, and in general the common citizens and individuals of the world.

———-

(*) For a common definition of third party risk see:  ISO27001/ISO 27002, 4th Edition,