The ONE Thing All Modern Third-Party Cyber Risk Management Programs Do

At CyberGRX, we’re fortunate to engage with the brightest minds in the third party cyber risk industry.  In addition to our Design Partners – ADP, Aetna, Blackstone, MassMutual and two other F500 companies, our customer base is comprised of innovative enterprises across the globe.  And while they come from many different industries, they share a thirst for modern approaches to solving difficult challenges at scale.

Reducing third party cyber risk is without a doubt, a difficult challenge.  The thought of gaining visibility into hundreds or thousands of third parties’ security posture is daunting.  Scenario: A new cyber attack is causing disruption. Which of my third parties could be affected? How will a third party breach impact our data?  Our supply chain? Our intellectual property? Which vendors need my attention based on inherent and residual risk?

Our customers are not working to automate legacy third party programs based on technologies ill equipped for the rising challenge. They demand a transformational approach that materially moves the needle in terms of reducing costs and risks from their growing ecosystem of partners, vendors and affiliates.  

Our customers realize it’s no longer sufficient to take a compliance based approach. Enterprises must truly measure and manage risk from their expanding third party population.  Longer, spreadsheet-based assessments and hiring more assessors is widely recognized as a poor strategy given today’s climate.  

A third party cybersecurity breach – the most costly of all breaches – can spell millions of dollars in lost revenues, remediation costs, reputational risk, and potential regulatory fines.  The per capita cost of a breach goes up by $16 per record when a third-party organization is part of the breach equation.  

In CrowdStrike’s recently released report “Securing the Supply Chain”, they stated: “Although almost 90 percent of the respondents believe they are at risk for supply chain attack, companies are still slow to detect, remediate and respond to threats.”  So what’s causing some companies to delay building a third party cyber risk program that scales and provides total visibility? Especially when the costs of a third party cybersecurity breach are so high?

In my opinion, many are waiting on a better, more efficient and cost effective way. They’re seeking the one thing that enables them to transform their third party cyber risk program from nascent to advanced in a short period of time.

In my travels over the last five plus years, I’ve talked to hundreds of organizations who struggle with the same challenge – a lack of resources combined with a growing third party population.  It’s become clear what doesn’t work – customized, spreadsheet-based self assessments that place an unnecessary burden on your third parties while simultaneously providing little decision making support.  

It’s also become clear what does work.  The common denominator all world class third party cyber risk management programs share is this – they leverage some type of exchange to achieve scale and reduce costs.  This one to many approach enables speed and lowers cost for all market participants – including third parties.  

What if every time someone applied for a credit card, an auditor from Capital One, Citi or American Express showed up in your home to review your credit worthiness? Instead, they leverage TransUnion, Experian or Equifax to perform the work on an ongoing basis. An exchange works the same way for third party cyber risk.

Three primary factors are driving the requirement to build a more advanced third party cyber risk function in most every enterprise.  All three factors require leveraging a risk exchange to achieve the scale necessary to succeed:

  1. Increased regulatory scrutiny
  2. Increase in vendor/third party volume
  3. Increase in cyber events that involve a third party

With regulators like the OCC, NYDFS and others insisting that organizations manage the cybersecurity risk of companies outside their own walls – third party relationships with vendors, affiliates, service providers, customers and partners – as well as they do their own, CISO’s, CRO’s and CPO’s are required to prove that their policies and procedures attempt to lower overall risk.  It’s no longer acceptable to point to a two year old, static spreadsheet based assessment as “managing cyber risk”. These regulations require a more dynamic approach that enable true cyber risk management.

A recent Ponemon study found that 57% of organizations surveyed don’t have an inventory of all third parties with whom they share information.  The same study found that only 17% of respondents feel they’re highly effective at mitigating third party risks (down from 22% in 2017).  We rarely speak with an organization whose vendor population is shrinking or their budget to manage vendor risk is increasing. This asymmetry creates an easily exploitable gap that can only be managed via an assessment exchange concept.  

All security and risk teams are asked to do more with less.  Here’s three separate, but connected advantages to leveraging an exchange:

1)  Comprehensiveness:  Whether you prefer a NIST,  ISO, or customized assessment, the question set is only relevant if you have the ability to process the responses and monitor your third parties for security posture changes over time.  When a vendor centralizes on one assessment for all of their customers, keeping it up to date with accurate security data becomes manageable.

2)  Cost Effectiveness: An exchange based business model drives cost mutualization since the costs are being divided amongst several buyers.  Rather than many companies paying to separately assess a common provider like ADP, the exchange provider can perform the assessment once and allow ADP to share the results with all customers.  Your vendors will thank you…. I promise.

3)  Speed:  Company A has assessed Vendor 1.  Why should Company B perform the same exercise?  For vendors who have have been assessed by an exchange participant, the data is available immediately to other members.  See this case study from Blackstone where they performed 5x the number of assessments for 1/2 the cost.   

History has proven that for a marketplace to thrive, both sides must see benefits.  The taxi industry has been disrupted by Lyft because they introduced a new way of getting from point A to point B that satisfied the needs of both the driver and the rider.  An exchange brings balance to the equation and helps third parties avoid completing multiple, redundant spreadsheet based self assessments. Which in turn, helps customers manage third party cyber risk more accurately.  

With cyber events dominating the headlines and ever-expanding third party ecosystems, it’s time to modernize our approach to third party cyber risk.  The CyberGRX Exchange is a force multiplier that enables access to up-to-date risk assessments, thought provoking analytics and continuous monitoring.  Our goal is simple: To enable enterprises and their third parties to identify and manage risk quickly, comprehensively and cost-effectively.

Contact us to learn more about the CyberGRX Exchange.

 

SCOTT SCHNEIDER
CYBERGRX CRO

 

Leave a Reply