TPCRM expert, Dave Stapleton, recently sat down to discuss the basics of TPCRM, what it takes to build an accurate, streamlined solution step-by-step, how to overcome common challenges, and much more. Here’s a highlight of the Q+A:
Q: Why is third-party cyber risk management (TPCRM) important?
A: Third party risk is a real and ubiquitous concern. Reliance on third parties is at an all time high which places responsibility on organizations to manage the risk associated with their vendors. In fact, over half of all cyber breaches can be linked to a third party – and the average cost is $7.5 million to remediate. You can’t be cyber secure without managing your third-party cyber risk.
Q: Why is it still so difficult to implement a TPCRM program? How can you implement a more modern approach?
A: It’s a complex problem that requires a modern solution. 40% of organizations use manual procedures like spreadsheets and 54% use risk scanning tools to vet their third parties. However, 54% of these companies say the results of these tools don’t provide the valuable information they need to combat third-party cyber risk.
Despite the complexity of establishing a third-party cyber risk program, we believe that organizations can achieve success by taking it step by step to ensure they don’t bite off more than they can chew and to ensure that they aren’t overlooking any vital elements of their program. We’ve also learned even organizations who have a third-party risk management program in place often have room for significant improvement. Employing automation, standardization, and taking advantage of crowd sourced data are all ways to further optimize your program.
Q: What are the biggest roadblocks you’ve faced when revamping a TPCRM program? What effective strategies have you used to overcome these roadblocks?
A: There are many roadblocks associated with conducting risk management including: resource intensity, subjectivity, and the risk of human error. One potential way to address these issues is through automation. For example, consider whether your processes include repetitive tasks. These are often good candidates for automation, whether it’s sending the same types of emails over and over, monitoring and alerting on the status of assessments, or creating executive briefings. In order to automate a process you will need to make a decision about the triggers for action and what the expected outputs should be. This decision making process should limit the future effects of human subjectivity and human error as well.
Here’s a scenario that’s sure to frustrate risk managers. You’re given a list of 20 potential new vendors to evaluate and the business manager wants your risk-based opinion as soon as possible. In order to speed things up she’s already asked each of the 20 to submit whatever security or risk focused documentation they have. So now you’ve got six SOC 2 reports, a customized SIG questionnaire, three ISO certificates, etc etc etc. How the heck are you supposed to use this information to accurately compare and contrast the potential risks posed by each of these vendors? It isn’t impossible, but you’re definitely going to need a lot of coffee before the task is completed. Standardization across your risk assessment procedures, assessed controls, and risk analysis output is key to ensuring efficiency and consistency of your program.
Another point to consider is how best to leverage information that is readily available rather than feeling you need to develop it all on your own. This concept of information sharing has been around in cybersecurity circles for years. One obvious example is the exchange of threat intelligence information. An exchange of risk data can improve the speed with which assessments are completed, reduce costs (assuming a cost sharing scenario), and allow your organization to do more with less.
Q: CyberGRX leverages an exchange model. Can you tell me how it came to be, and what’s so special about it?
A: When the founders of CyberGRX created this company, they wanted to do away with static spreadsheets and create a faster, more accurate and cost-effective approach to TPCRM. Frankly they were tired of having complete seemingly endless security assessments, or having to deal with tedious manual processes to obtain the third party risk information they needed. With the help of a set of prestigious design partners they developed a modern solution that benefits both organizations and their third parties through the use of a risk exchange model.
Our Exchange houses assessments that live in the cloud, are kept up-to-date and collect dynamic data on gaps in third parties’ ecosystems. In addition, we apply real time threat intelligence, custom kill chains, and proprietary analytics to provide users with real risk data – not just a yes/no compliance check. Because our solution is built on our own software, we are also able to automate tasks that would otherwise require our customers to spend hours of valuable time per assessment. The automation and standardization of the CyberGRX Exchange enables our customers to scale up significantly, conducting more assessments and receiving more actionable data, using fewer resources. And, we recently surpassed 50,000 companies on our Exchange, enabling out community to get smarter, stronger, and more secure.
CISO OF CYBERGRX