Budgeting for Your TPRM Program
With two consecutive drops in real GDP in 2022, 1.6% and 0.9% for the first two quarters, people are fearing a recession—and corporations have been tightening their belts. With budgets getting leaner and threats getting meaner, what is the impact on your cybersecurity budget, and how can you effectively fund your third-party risk management (TPRM) program?
To explore this issue, we teamed up with Stephanie Hardt, a Partner at PwC, who specializes in cybersecurity risk management and third-party security. Stephanie lends her experience leading global TPRM teams to the conversation, and she’s joined by Dave Stapleton, CISO at CyberGRX, who has more than a decade of experience developing and managing risk and compliance teams. Peter Finter, CMO at CyberGRX, moderated the discussion as participants tackled the sticky issue of funding a TPRM program. Listen in to the discussion now:
The TPRM Budget Challenge: More Threats, Limited Funds
Ransomware attacks continue to rise, and phishing has gotten more sophisticated, but at the same time, partnering with third-party providers is also increasing. As Dave Stapleton explains, “Digital transformation has significantly increased the dependency that we have on third parties. We entrust them with more sensitive and critical data. And the processes that they run are increasingly more critical to the success of business. There’s a plethora of SaaS platforms that are really enticing to the business.”
This presents a challenge because as an organization teams up with more third-party providers, they increase the chances of getting hit with these—and numerous other—cyber vulnerabilities.
Not only do you have to safeguard the points where your third-party provider interfaces with your network, but you also have to reduce the risk of a threat actor stealing data you’ve entrusted to the third-party. In a challenging economic environment, companies have to make delicate decisions regarding how to fund the TPRM programs that can mitigate their risk. A survey of webinar participants shows 80% of security and risk professionals don’t feel they have adequate resources to effectively protect their organizations.
Prioritizing Third-Party Risk Management
As the third-party threat landscape intensifies, many organizations have shifted their TPRM program higher in their list of priorities. While financial companies have been prioritizing third-party risk management for decades, other industries have also begun to move it higher on their lists of concerns. Stephanie Hardt points out that the oil and gas companies and consumer market industries, for example, have started to prioritize TPRM on their agendas. At the same time, given the necessity of cost cuts, decision-makers have to be innovative when it comes to supporting TPRM prioritization with the cash to make it happen.
Some have chosen to turn inwards, using their existing talent pool to mitigate third-party risks. Even though this may involve giving people who are already working hard more to do, their familiarity with the organization’s ecosystem can bring benefits.
An audience poll revealed the biggest investments will be made in tools and people.
Arming Team Members with the Best Tools
One way to reduce the burden on inside risk management teams is to give them the most effective tools available for identifying and reducing risk. In this way, you can offset any shortages in human resources—essentially giving your carpenters nail guns instead of asking them to swing their hammers faster.
For instance, Dave Stapleton highlights the importance of using discovery tools “that can allow you to automate the process of assessing the risks associated with third parties.” You can then use these tools to “develop corrective actions plans, tracking those down, and working with your third parties to understand what’s acceptable, what’s not acceptable, and validating the types of controls they put in place to address those risks.”
Stephanie Hardt offers a similar perspective, explaining that, when it comes to cybersecurity, getting talent can be difficult without having to pay premium prices. So your second choice is to use technology to make your processes more efficient.
The Challenge of a Growing Third-Party Portfolio
For many organizations, the challenge is exacerbated by the constant addition of third-party partners. Some companies, for example, add new vendors weekly, making it harder to keep track of the risks each one may present.
To reduce the risk of adding vendors that present unreasonably high risks, you can use a tool like CyberGRX’s platform, which quantifies the risk profile of each vendor you’re considering, making it easy to pinpoint riskier partners. By using this intel in your decision-making process, you can justify decisions for or against partnering with a new third party.
How a Charge-Back Model Can Help Dilute TPRM Costs
Once an organization has committed to supporting a TPRM program, leaders may have to get creative when deciding how to fund it. One of the more innovative methods of making sure the program has the money needed to protect your company involves using a charge-back model. This entails charging back the cost of your TPRM program to other departments. To determine how much to charge each stakeholder, you can base your numbers on how much departments use the third parties involved or the number of vendors they’re using.
Stephanie Hardt notes that chargeback models can work well, particularly if there’s a disproportionate amount of usage of TPRM tools across your enterprise. In some ways, access to TPRM tools and processes is like a buffet. Different departments can request the TPRM team to examine as many suppliers as they want, essentially grabbing resources without necessarily considering the cost or effort involved.
On the other hand, by using a chargeback model, you can start to show the costs involved with using TPRM solutions. And if departments now have to pay for SecOps team support, they tend to get more discerning regarding the number of vendors they move to the evaluation stage.
How to Present Your TPRM Budget
As always, your budget proposals are where the rubber meets the road, so getting it just right can, literally, pay off. Stephanie Hardt recommends directly tying your program to business objectives, particularly because using fear tactics—trying to scare executives into funding a TPRM initiative, is ineffective.
Dave Stapleton adds that when presenting your TPRM strategies to executives, it’s important to “tell them a story. Link TPRM to business outcomes and risks. You can be light on the technical details and be more heavy on the themes and reasoning. And use existing methods of quantifying risk to link your TPRM strategies with dollars and cents.”
No matter what challenges the economic climate brings, you can still fund an effective TPRM program. The key is to be strategic when it comes to choosing the tools you want to use, how you spread the responsibility of paying for them, and carefully presenting your budgets to executives. To assist in your planning efforts, download our TPRM Budgeting Checklist now.
With CyberGRX’s risk management platform, you get a comprehensive view into the risks each third party presents. Not only do you get an accurate assessment of your entire portfolio of vendors, but you also have access to predictive capabilities that enable you to approximate the risk of future cyber threats. Discover the benefits of CyberGRX for your organization today.