Likely no one in our industry will dispute the traditional approach to third-party cyber risk management (TPCRM) is wrought with redundant and inefficient processes. Security teams, already stretched to the max, don’t have enough time and resources to manage the increasing volume of third-party risk effectively. And as a result, cyber risks are inadvertently overlooked, and companies remain vulnerable.
Let’s face it: our current approach to TPCRM is broken. From assessment chasing and static spreadsheets to vendor backlogs and data that’s nothing but noise, the way we’re tackling this problem is creating a lot of work and not a lot of confidence that our third-party cyber risk postures are actually improving.
We brought together Fred Kneip, CEO and Founder of CyberGRX, and Rich Seiersen, Chief Risk Officer for Resilience, a leading InsurTech startup, to discuss and debate the topic of evolving third-party cyber risk management. Here’s what they had to say.
The Benefits of an Exchange and One-to-Many Sharing Model
At its core, an Exchange model relies on community-level collaboration.
An Exchange provides the ability to not only access cyber risk assessments within a shared platform, but also provides an opportunity for real-time collaboration and data sharing beyond assessments. What are the critical capabilities an exchange model should provide to its members?
“An Exchange creates efficiency, eliminates repetition, and creates community engagement in the process,” shared Fred Kneip. “LinkedIn is an example of an exchange. When applying for a job, instead of sending your resume over and over again, your work history is already in your profile for viewing by interested companies.” The same principles apply to managing cyber risk.
“Evaluating risk is an inefficient process for everyone involved,” noted Fred. “If you were to ask those involved in the process– the assessment practitioner who’s tasked with chasing assessments and processing the incoming data, and the third party, who has to complete lengthy assessments for multiple customers– they will all tell you they hate the process. It’s just not efficient, and that’s where an Exchange creates value. Removing repetitive processes and standardizing data allows companies to do more with that data and third parties to share their existing profiles with new customers," he explained.
Removing repetitive processes and standardizing data allows companies to do more with that data.
By definition, “scalability” is the ability to increase or decrease performance and cost in response to one’s operating environment. “Third-party risk is massive, and companies struggle with scaling,” commented Rich Seiersen, “you’d have to hire armies to get all the work done. However, as we think about the future of work, what party isn’t a third party? As such, having the means to scale TPCRM is critical to companies today.”
Changing the TPCRM Conversation
Consider, for a moment, security assessments. The questionaires are lengthy, asking for lots of information, but how many of the answers impact your decision to bring on a third party or not? Are all those questions necessary?
When you think about it, many of the compliance questions don’t change that often. The average organization uses 5,800 third-party applications and vendors, if not more. So, the practice of every organization creating their own customized assessment comes into question. Is this viable and realistic, given our growing dependence on third parties?
“Scalability is incredibly important,” emphasized Rich. “We work in a world where every party is a third party, so we need a process that scales with us. I’ve tried hiring teams to manage the process, but it didn’t work– there’s just too much data– more than a human could process,” he said.
So how can companies shift the conversation and get the biggest bang for their TPCRM buck?
“Collecting data is time-consuming, and analyzing that data is complex. Ultimately, third-party cyber risk management is about understanding the data and doing something about it. First, you have to consider the value at risk– the business disruptions, the data loss, and the material impact on your business. Then, place a monetary value on that risk and the likelihood of experiencing a material loss. It’s essential to understand where risk lies, given the volume of third parties you have,” explained Rich.
Consider the value at risk– the business disruptions, the data loss, and the material impact on your business.
“When information is already on an Exchange, it takes the administrative work away. Now you’re able to make material decisions vs. spending all the time collecting the data– this is the way of the future,” added Fred.
How Do You Prioritize Cyber Risk?
Without the right data, it’s very difficult to make the right decisions.
“If you're only considering vulnerabilities and not looking at the actual value of risk, you’re not really managing risk,” said Rich. “Complete portfolio visibility is understanding both the likelihood of vulnerability and the material impact of that risk. This is where TPCRM is going– combining the empirical data with the actual value at risk and what that means to an organization, then mitigating the surprises.”
It boils down to portfolio visibility and looking at your entire third-party ecosystem as a whole and prioritizing who you will assess, as opposed to selecting a few third parties based on size or monetary value.
"Not many organizations have the capacity or resources to pinpoint who to assess strategically. But with an Exchange, you have that visibility; you can see your entire ecosystem, so that you can prioritize your time and resources– it’s a whole new way of looking at your risk portfolio,” said Fred. “You need to be able to see the entire picture, or you’ll never prioritize the right pieces and the biggest areas of concern. The absence of information does not make us safer; on the contrary, it masks a problem waiting to happen,” he added.
The absence of information does not make us safer; on the contrary, it masks a problem waiting to happen.
Portfolio visibility also allows organizations to compare, a key ingredient to prioritizing risk.
When viewing static and customized data sets, a comparison is impossible. In contrast, an Exchange model provides data about the data, enabling comparison of one entity relative to another, also known as “benchmarking.”
“Benchmarking can be incredibly valuable and also very dangerous. It goes beyond just knowing if you’re in a top percentile– benchmarking is helpful in looking at your controls versus what others have. For example, do you have the right controls in place or what you are missing compared to what other companies are doing,” commented Fred. “Knowing how you stack up against your peers is a very powerful tool,” he added.
Finally, the availability of standardized data enables security practitioners to have risk conversations earlier in the procurement processes. Too often, while onboarding a third party, security teams realize a vendor is a complete security disaster, creating additional challenges.
Evaluating Third Parties with the MITRE ATT&CK Framework
Threat insights, of course, are relative to the world you operate in. The MITRE ATT&CK framework helps to identify a chain of events and the causal change associated with an attack. But is it enough? Does the MITRE ATT&CK framework provide adequate cyber risk assurance?
“You can’t look at all your third parties the same. So even if a company scores very high on the MITRE ATT&CK framework, that’s not helpful information. What’s more important is to know which controls are in place and which ones are missing to protect the data in the way you need. You have to know what matters to you,” commented Fred. “As we talk about scalability especially, applying a standard framework like MITRE to standardized Exchange data becomes a very powerful tool to drive better risk management,” he added.
Naturally, collaboration is most effective when it’s an informed conversation. Therefore, the MITRE framework also provides a common language between the customer and the third party, allowing them to discuss known vulnerabilities and solve problems collectively.
Words of Advice and Encouragement
The past 18 months have been incredibly challenging and hard on security teams. But take heart; third-party cyber risk management is evolving for the betterment of all involved.
“What a wonderful time to be working in cyber and risk management, to have so much data at your fingertips and to remove the drudgery of spreadsheets– that no longer defines your job,” commented Rich. “With Exchange tools like CyberGRX, your job can evolve into a strategic role. Ask questions, prioritize risk, get value from your data and truly understand where your risk is– what a great time to have a career in cybersecurity,” noted Rich in his closing remarks.
Fred, too, offered words of encouragement and parting advice. “Pull yourself out of your day-to-day and ask yourself what you are trying to accomplish with your TPCRM program. Is it to do more assessments, and for what purpose? Is it to count how many assessments you are doing, or is it to truly manage risk and get a broader view? Think about what you want to do and what you’d like to present to your executive board. Then, design a program around those objectives vs. doing what you were doing faster. Start to do things that are truly impactful to your organization– and CyberGRX can help.”
To learn more about the CyberGRX Exchange and the benefits it provides to your organization, book a personalized demo now.