Ask the CISO: TPCRM 101

by Dave Stapleton

CyberGRX CISO and TPCRM expert, Dave Stapleton, sat down to discuss the basics of TPCRM, what it takes to build an accurate, streamlined solution step-by-step, how to overcome common challenges, and much more. Here’s a highlight of the Q&A:

Q: Why is third-party cyber risk management (TPCRM) important?

A: Third party risk is a real and ubiquitous concern. Reliance on third parties is at an all time high which places responsibility on organizations to manage the risk associated with their vendors. According to   a recent Ponemon study, organizations now use nearly 6000 third-party vendors. Furthermore, over 60% of all cyber breaches can be linked to a third party – and the average cost is over $8 million to remediate. You can’t be cyber secure without managing your third-party cyber risk.

Q: Why is implementing a TPCRM program still so complicated? How can you implement a more modern approach?

A: It’s a complex problem that requires a modern solution. There are a number of tools out there, but you rarely get a 360-degree view of your cyber risk posture with any one of them. In fact, the results of the Ponemon study mentioned above showed that slightly more than half of respondents used assessments, while 35 percent use security ratings, 29 percent use risk exchanges, and 15 percent of respondents say they use all these solutions. Having said that, only 28 percent say the tools and solutions are somewhat effective while 25 percent say they’re not effective at all. That's potentially a lot of resources being wasted.

Despite the complexity of establishing a third-party cyber risk management program, we believe that organizations can achieve success by taking it step by step to make sure they don’t bite off more than they can chew and to ensure that they aren’t overlooking any vital elements of their program. We’ve also learned even organizations who have a third-party risk management program in place often have room for significant improvement. Employing automation, standardization, and taking advantage of crowd sourced data are all ways to further optimize your program.

Q: What are the biggest roadblocks you’ve faced when revamping a TPCRM program? What effective strategies have you used to overcome these roadblocks?

A: There are many roadblocks associated with conducting risk management including: resource intensity, subjectivity, and the risk of human error. One potential way to address these issues is through automation. For example, consider whether your processes include repetitive tasks. These are often good candidates for automation, whether it’s sending the same types of emails over and over, monitoring and alerting on the status of assessments, or creating executive briefings. In order to automate a process you will need to make a decision about the triggers for action and what the expected outputs should be. This decision making process should limit the future effects of human subjectivity and human error as well.

Here’s a scenario that’s sure to frustrate risk managers. You’re given a list of 50 potential new vendors to evaluate and the business manager wants your risk-based opinion as soon as possible. In order to speed things up she’s already asked each of the 50 to submit whatever security or risk-focused documentation they have. So now you’ve got eight SOC 2 reports, a customized SIG questionnaire, twelve ISO certificates...the list goes on. How the heck are you supposed to use this information to accurately compare and contrast the potential risks posed by each of these vendors? It isn’t impossible, but you’re definitely going to need a lot of coffee before the task is completed. Standardization across your risk assessment procedures, assessed controls, and risk analysis output is key to ensuring efficiency and consistency of your program.

Another point to consider is how best to leverage information that is readily available rather than feeling you need to develop it all on your own. This concept of information sharing has been around in cybersecurity circles for years. One obvious example is the exchange of threat intelligence information. An exchange of risk data can improve the speed with which assessments are completed, reduce costs (assuming a cost sharing scenario), and allow your organization to do more with less.

Q: CyberGRX leverages an exchange model. Can you tell me how it came to be, and what’s so special about it?

A: When the founders of CyberGRX created this company, they wanted to do away with static spreadsheets and create a faster, more accurate and cost-effective approach to TPCRM. Frankly they were tired of having complete seemingly endless security assessments, or having to deal with tedious manual processes to obtain the third party risk information they needed. With the help of a set of prestigious design partners they developed a modern solution that benefits both organizations and their third parties through the use of a risk exchange model.

Our Exchange houses assessments that live in the cloud, are continuously updated, and collect dynamic data on gaps in third parties’ ecosystems. In addition, we apply real-time threat intelligence, custom kill chains, and proprietary analytics to provide users with validated risk data – not just a yes/no compliance check. Because our solution is built on our own software, we are also able to automate tasks that would otherwise require our customers to spend hours of valuable time per assessment. The automation and standardization of the CyberGRX Exchange enables our customers to scale up significantly, conducting more assessments and receiving more actionable data, using fewer resources.