Third-party risk management and wilderness risk management have many similarities. One of the jobs of an effective wilderness exhibition leader is to continually evaluate the natural risks around them. Risk management in the backcountry requires an awareness of terrain, water, trees, weather, wildlife hazards, and the tools at one’s disposal to mitigate these risks. Items in the backcountry are not risks in themselves but carry only a likelihood of risk. The true impact of this risk is based on your interaction with the element. A river in itself carries no risk at all. We can look at its water volume, speed, rocky hazards, and temperature to assist us in determining the likelihood of risk. A true inherent risk analysis depends on one’s interaction with the river. Are you looking at it from afar? Are you camping next to it? Are you swimming in it or maybe ferrying equipment across it? Without applying your interaction with the river and its likelihood of risk one can never fully create a risk exposure analysis. The same is true with third parties.
Many companies try to determine the risk that their third party presents by only looking at the third party. Like the river, a third party presents no risk at all if you don’t interact with them. It is only through your interaction with them that the impact of the third party is able to become a significant exposure of risk to you. A strong, fast river poses very little risk to you if you don’t enter it. A third party that provides you with cloud storage can present very little risk to you if all you store on their cloud are insignificant documents with no Personal Identifiable Information (PII).
The same river presents a very different risk profile if you are swimming across it. The same cloud storage vendor presents a significant impact and higher risk exposure if they are storing your confidential Intellectual Property (IP) on their cloud. The same third party has very different risk profiles based on interaction.
Many companies perform a static assessment of their third parties without taking into account the criticality of interaction. CyberGRX computes impact through eight measurements of the interaction between the customer and the third party. Eight questions that combined take less than a minute to answer identifies the level and criticality of interaction across the asset stack in Business Process, People, Digital Identities, Applications, Data, Devices, Networks, and Facilities. This data, when combined with data on industry, location, attack surface and an outside-in hygiene scan, can identify third parties with a significant inherent exposure risk.
Third parties with a high-risk exposure can then be further evaluated with a fully validated risk assessment looking at maturity and effectiveness of strength, coverage, and timeliness across 105 controls and 226 sub-controls mapped directly to kill chain use cases. What’s more, these comprehensive assessments live dynamically in the Exchange, allowing third parties to update their assessment data as there are changes to their security measures – enabling their partners to know exactly what’s happening across their ecosystem in real-time.
There are some rivers that require a sturdy bridge to safely cross. An analysis containing interaction is an essential component of any third-party risk management program.
DIRECTOR OF EXCHANGE SERVICES