5 Tips for CISOs About the Future of TPCRM
by Sarah Frazier
To quote Bob Dylan, "the times, they are a-changin'."
A decade ago, all eyes were on insider threats. Today, the number one challenge for CISOs is managing third-party vulnerabilities.
Research from Ponemon shows a whopping 63% of breaches originate from a third party. But despite our changing times and the rise in third-party cyber attacks, our approach to managing third-party cyber risk has largely stayed the same.
We gathered industry thought leaders Kelly White, Co-Founder and former CEO of RiskRecon, a Mastercard company; Levi Gundert, Senior Vice President of Global Intelligence and Customer Success, Recorded Future; and Fred Kneip, CEO of CyberGRX, to discuss the current state of third-party cyber risk management (TPCRM) as well as share words of wisdom for security practitioners.
1. Build a Trust Network and Ecosystem
Organizations increasingly depend on third-party tools and applications to run their businesses more efficiently and effectively. And with reliance comes risk. When a third party is compromised, the downstream effects can be devastating. So the first recommendation is for CISOs to build a trust network that gives them insight into their ecosystem.
"I really believe in the concept of a trust network. There has been resistance to actively projecting a trust profile, but this is a big problem on both sides. Organizations have a responsibility to be trustworthy and to prove that trustworthiness," said Kelly.
There’s no time like the present– now is the time for the cybersecurity industry to adopt a trust network. Attack surfaces will only grow as third party adoption increases, necessitating more visibility across a vendor portfolio.
"There is going to be a continuation of third-party expansion as the attack surface grows," commented Fred. "Third-party cyber risk management has historically been a one-off, but having a view of the ecosystem will be an inclusion moving forward."
Levi agreed and added, "There is an interconnected adoption of cloud and digital transformation that is critical to an organization's success. The events that have made headlines in recent years are all due to this interconnectedness.”
All our panelists agreed it’s important to understand the interconnectedness of data and the impact and downstream effects of third-party risks. However, this is a shift from traditional approaches, particularly when it comes to assessment data.
2. Abandon Bespoke Assessments
Custom assessments create massive inefficiencies– thousands of data points that need to be processed and analyzed. Who has time for that? With the shortage of cybersecurity talent and an increased volume of assessments, bespoke assessments are a train wreck in the making.
"We need a standard collection of data to be able to scale. CISOs who are still focused on point-in-time assessments are not getting it right. Those that think about third parties across the portfolio based on how they use data are starting to be more prevalent," noted Fred.
"We see a lot of companies' ability to operate paused due to ransomware. But our data also shows a correlation between cybersecurity hygiene and destructive ransomware events; organizations doing the right things are getting better outcomes, said Kelly.
So what is it that's driving positive results? "Data is enabling insights, and it's exciting to see the efforts pay off," he said.
And Kelly added, "There's not much value in legacy programs that are compliance driven, either. Some CISOs are struggling to innovate away from that. I see innovation in the companies that have just started to spin-up TPCRM programs because they're starting from a modern approach."
In other words, ditch the bespoke assessments; it's not a scalable model and will bog down you and your team.
3. Leverage Machine Learning to Make Data Meaningful
Cybersecurity comes from humble beginnings and a baked-in mentality that assessments are essential to your success. And to be fair, they have a place and purpose, even today. However, many organizations focus on chasing the assessment and gathering the information, only to do nothing with the data received. As humans, it's impossible to process and make sense of so many data points. And this is where machine learning can be a CISO's BFF.
"Security starts with raw data," said Kelly. "But we need machine learning and analytics to make it meaningful," he continued. "The data points brought forward are indicators of vendor strengths and weaknesses. That's the advantage of working with a risk management platform like CyberGRX– you can look through your lens of risk and see where you need to focus your priorities."
Security starts with raw data. But we need machine learning and analytics to make it meaningful.
Fred added, "You have to get back to basics. Companies are building programs and need to prioritize time and limited resources to know where the problems are. Then you can see the big picture and start in the right place to start solving."
Levi wrapped up the discussion on this topic by noting that CISOs struggle to differentiate between third parties and identify the ones that present the most risk. "Every analytic has value, but it's most important to know which ones are most meaningful to you," he said.
The bottom line: let machine learning do the grunt work so humans can focus their attention on analyzing the results and developing appropriate risk mediation strategies.
4. Educate Your Board
Evolving your TPCRM program requires buy-in and support from your board. Your board wants to know what you're doing to identify your risks and the steps you're taking to mitigate those vulnerabilities. Board education was a big discussion topic amongst our panelists.
"I think boards are increasingly trying to understand cybersecurity and where the risks lie. It used to be all about the number of assessments. What we need to help them do instead is understand this is the number of third parties, and this is how we classify each one in terms of the level of risk. As the breaches happen more frequently, our boards must understand this concept," stated Fred.
"Knowing how to address risk starts with the board. One risk approach is understanding risk in real-time. Some boards say they don't want that because they can't process and action the data, so they stick with the compliance approach. Really, the board should be asking whether we are managing risk in the right way instead of reinforcing the old way," said Levi.
Kelly added, "Information sharing is happening amongst board members. You should expect the board members to act similarly; CISOs should pay attention to the themes and topics boards address– especially third-party and supply-chain risk."
Overall, implementing a third-party cyber risk management program includes communicating the risks and needs, plus educating board members on your strategies for mitigating the exposure.
5. Now is the Time to Invest
All our panelists agreed that this is the moment for third-party risk management. The resistance is over, and the time is now. The headlines are filled with news of companies impacted by a breach. The costs and losses are growing; now is the time to evaluate legacy practices, get smarter, and invest in your TPCRM program. For those just starting, Fred advised, "Don't let perfection be the enemy of good. Third-party cyber risk management is a big problem, and it's time to deal with it. Prioritize what you can handle today vs. trying to devise a perfect program. Look at your resource efficiency and build toward a better program."
Because, as our panelists pointed out, the TPCRM problem will only grow.
Looking to up your TPCRM game? Effectively manage your cyber risk and reputation with CyberGRX. Discover how to protect your third-party digital ecosystem with a data-driven approach that provides complete portfolio visibility and predictive capabilities. Book your personalized demo now.