Pushing Boundaries: Accelerating Risk Decisions With Predictive Risk Data
The alarming volume of cyber attacks that businesses and organizations face today emphasizes the need for an agile third-party risk management (TPRM) program. When you do business with thousands of vendors, you can’t be too proactive in assessing and mitigating the risk each one presents. But as you try to balance maintaining healthy business relationships and limiting organizational risk, you often have to navigate some tricky waters.
We dove into the vendor-vetting debate with Joanna Soles, Sr. Director of Information Security at PepsiCo, Dave Stapleton, CISO at CyberGRX, and Peter Finter, CMO at CyberGRX, to discuss how security teams can keep up with the speed of business while staying on top of a growing third-party landscape.
Listen in to the discussion now:
The Challenges of Vetting and Onboarding Third Parties
Vetting and onboarding vendors is a delicate balancing act between the growing number of third-party threats and the due diligence needed to vet them properly. Success depends on asking the right questions, timing, and having the leeway to make hard decisions if risks are too high.
As Dave Stapleton explains, it comes down to asking three core questions:
What is the visibility of your security program? How do you find out about vendor requests– do you have established processes in place in your organization?
Do you have the appropriate time to collect and analyze third-party risk data to understand the risks posed to you?
Do you have the authority and ability to slow down, pause, or even reject processes or requests based on unacceptable risks?
What are the Ramifications of Risk Decisions Taking too Long?
“Our business is innovating rapidly and engaging with third parties across the globe constantly. The third-party landscape is never static; we (the security team) have to be able to move at the speed of business,” said Joanna.
Time is critical in vendor risk decisions; the window of opportunity to be heard about your risk concerns is limited.
When vendor decisions take too long, it’s much harder for security teams to have an impact. For example, internal team members often move ahead without the risk management team’s approval because gathering risk data can be time-consuming. As Joanna puts it, “If we take too long to provide meaningful feedback, then we lose the ability to provide any feedback at all. They may go around us or sign a contract, then later engage with us, leading to difficult conversations or missed contract language surrounding the risks.” Joanna advises making security easy for your organization and showing the different departments the value of what your risk management team provides. “We want to be a trusted business partner, and we want to provide others with timely information and not slow them down,” she said.
The Role of AI and Predictive Data in Risk Decisions
Without data, making good decisions or finding where to focus our conversations with vendors is challenging. Predictive Risk Intelligence, introduced by CyberGRX, is the ability to leverage known data from attested assessments plus leverage machine learning to factor in firmographic data, risk ratings, and threat intelligence from partners Risk Recon and Recorded Future. As a result, CyberGRX can predict how a similar third party will likely answer assessment questions with up to a 90% accuracy rate. But the question is, are you comfortable using data not generated by a human to make risk decisions?
For many companies, the answer is a resounding “Yes!” But others are only slowly edging their toes toward the AI-powered risk-decision waters. We polled our webcast audience, and the results showed an even split between those open to using predictive data vs. those against or unsure of the practice.
Incorporating AI-Generated Risk Data in the Decision-Making Process
The AI conversation has simultaneously gotten hotter and increasingly controversial in recent months, but the question becomes, could predictive data eventually replace manual assessments altogether? Joanna noted, “You’re definitely opening a can of worms when you talk about bringing ChatGPT and generative AI into the mix.” Still, on a more serious note, she sees AI as an effective tool—when used discerningly. “Data is critical to informing our decisions. Whether that data is 100% accurate, 90% accurate, or 50% accurate, you take what you can get at the time when you need it.”
Following this approach, Joanna uses predictive AI to limit PepsiCo’s risk and accelerate vendor decisions. “I’d rather have predictive data, even if not exact, and be able to share that information about a vendor to my legal department, IT department, or procurement department, explaining that you don’t know this information for a fact,” she said. ‘We don’t know for sure what their security posture is, but this is what our data and intelligence information is telling us– and much of this data is based on industry incidents that have happened. Our intelligence is a mixture of actual and predictive data, and we like to be able to provide that information as a first-pass security check. We may then recommend asking additional, more focused questions as part of the contract negotiations, based on the potential risks that we see and what’s critical to PepsiCo.’” Overall, stopping the buying process isn’t productive, and using predictive data to flag initial concerns communicates to the vendor that security is important to your organization.
Predictive Risk Data Fosters Better Relationships With Customers
Dave Stapleton agrees with Joanna and how the PepsiCo team uses predictive risk data. He also notes another benefit: stronger relationships with customers. “You can also engender a little respect and appreciation from your third parties by not sending them a 500-question spreadsheet,” referring to the surveys that many organizations depend on for risk data. “By using predictive risk intelligence instead, your vendors can see that you care about risk in a meaningful way instead of just sending them a rote checklist,” he added.
Predictive Data Improves Efficiency
Dave also pointed out that cybersecurity teams always need more resources. From talent shortages to assessment volume exceeding team capacity, workloads are heavy. Predictive intelligence gives you a reasonable approximation of how each third party will answer your assessment questions. Rather than relying on potentially skewed data to construct a risk profile from scratch, predictive intelligence offers an unbiased starting point. In other words, predictive data improves team efficiency– and makes the job more exciting, too, noted Joanna, “as your staff is not just pushing paperwork. The team can be more strategic, analyzing the results, contextualizing the information, and explaining the findings to the business.”
Predictive Risk Data Circumvents Inaccurate Disclosures
As risk professionals, we rely on risk assessments, but when you get a survey back from a vendor, how accurate is the data? Even well-meaning third parties may present inaccurate information. Joanna explains that the mistake could be completely innocent: “The evidence is not always full scope, representing the entire security posture of that company’s attack surface. Assessments just show a portion; they are also a point in time– you just don’t know or see the full picture.”
It’s also unlikely that you’ll get the precise information you’re seeking. Joanna says, “From our experience, the company is not going to give you their pen test results. They won’t give you vulnerability management reports from their vulnerability tracking tool. They’re going to give you their policy and their standards.”
By leveraging predictive data and threat intelligence, you gain additional perspective and a better understanding of a vendor’s true security posture.
Overcoming Internal Resistance to Predictive Risk Intelligence
Overcoming resistance to using predictive intelligence in your TPRM program depends on your internal relationships. Dave shared that predictive intelligence is a new concept for many risk management teams. Incorporating it is much easier when you have strong relationships in your organization and respect your team members’ obligations and timetables.
“Predictive data allows us to engage with stakeholders when there is an opportunity to make a difference,” Dave said. “Most organizations prioritize speed, innovation, and efficiency; if you stand in the way, that’s not good security. You want to avoid a situation where others go around you. You don’t want to be cut out of the vendor evaluation process because it takes too long.”
“No matter what methodology you use, you have to be a trusted partner with the business, and you have to give them something,” Joanna explains. “Stakeholders are so happy when we’re able to deliver some information to them in 1-5 days as opposed to 30-90 days. Predictive data has been game-changing for us, and it also buys us time to go deeper and get more details. It’s just not acceptable for stakeholders to engage with you and for you to say, ‘Submit a ticket, and I’ll get back to you in 90 days.’ That’s never a good response, and they’ll never come back to you again for any advice.”
Not to mention, extended risk evaluation timelines just aren’t scalable for growing organizations.
Joanna suggests focusing on actual risk management: “Pick the top security requirements that are must-haves for you, focus on those, and work to get some insight quickly on those specific requirements.”
Another suggestion is to use the contract to your advantage. As a risk assessment insurance policy, you can also “include some right to assess” in your agreement with a third party, Joanna advises. “As long as you’ve got that right-to-assess language in the contract, you can always go back to it and re-assess the vendor should something change.”
Using Predictive Intelligence to Push Your Decision Boundaries
After our speakers shared their use cases, we polled our webcast audience again, asking for their viewpoints on predictive data. The responses shifted to the positive as the value was better understood.
Overall, the goal of security teams is to be a trusted partner to the business and make security easy. Accurate, reliable data is a powerful resource, and predictive intelligence can help you identify your potential risks quickly and accelerate vendor decisions. To learn more about how you can leverage the power of predictive risk data in your organization, book time with our sales team.
Get Cyber Risk Intel delivered to your inbox each week: