You Can’t Just Walk Away from Subsidiary IT Risk

If a product can help you evaluate third-party IT risk, it’s not a huge stretch to imagine that same product could help you assess the security risk of your subsidiaries. But many of the chief information security officers (CISOs) we talk to who have tried to apply a security ratings service  to the challenge of monitoring their subsidiaries’ security tell us this approach really hasn’t worked for them. Here’s why:

There’s a big difference in your level of responsibility for a subsidiary owned by your parent company and a third-party you are considering doing business with.

Network connections with either can introduce your organization to risk, of course, but you can’t just walk away from the security issues of your subsidiaries the way you can from an independent vendor. Ultimately your organization has the responsibility for addressing the IT risks in your subsidiaries. Thus, you’re not just looking to score the level of risk at your subsidiaries, you are looking to remediate and manage issues.

Deep security expertise must be built into your subsidiary risk management approach.

Expertise that helps you prioritize the many exposures identified and guides subsidiary teams to quickly remediate those exposures. The lack of useful remediation guidance in security ratings products is perhaps the biggest complaint we hear from CISOs who have tried unsuccessfully to use a security ratings service to manage their subsidiary or corporate risk and are now looking for a better way to do it. A product that is built for managing subsidiary risk should be able to identify:

• which attack surface assets in the subsidiary are most critical to protect
• which assets will be most desirable to attackers
• which paths into the attack surface attackers are most likely to exploit
• precisely how and where subsidiary security teams can remediate any identified attack vectors

Many corporate IT security teams oversee subsidiary risk but do not have hands-on engagement. CISOs tell us that they prefer being able to identify the highest priority risks at their subsidiaries and then offer the subsidiary security teams detailed remediation guidance about how and where to eliminate those risks. That increases the effectiveness and efficiency of all their security teams and improves their overall security. 

Managing subsidiary risk is a matter of both scale and frequency. 

Many organizations grow by acquisition, so their attack surfaces are ever expanding, which presents additional overload for already over-burdened and finite corporate security teams. A product that is purpose-built for managing subsidiaries should include efficiencies that scale, with a process that works for one subsidiary — or a thousand. 

CISOs want an overall view of their security posture as an organization/conglomerate, as well as the detailed risk view of each subsidiary and the ability to track and report on the same. And monitoring subsidiary risk has to be an ongoing process that can easily absorb oversight of new subsidiaries and the ever-changing attack surfaces of each of them without substantial additional overhead.