How Third-Party Cyber Risk Management Went from Reactive to Proactive

by CyberGRX


Whether it’s a vendor for Volkswagen and Audi leaving data up for grabs on the internet or a Las Vegas casino getting hacked through a fish tank, third parties have risen as a primary attack vector. But IT teams and cybersecurity professionals aren’t taking the threat lying down. Professionals involved in third-party cyber risk management (TPCRM) are taking a proactive stance using new ways of thinking and cyber risk management tools to protect data, networks—and fish tanks—so a breach doesn’t leave their companies belly-up.

We teamed up with cybersecurity thought leaders to talk about how they’re suiting up for the current third-party cyber risk battlefield, who the soldiers are, and the future of the fight. Pull up a chair as we sit down to talk about the shift from reactive to proactive approaches to TPCRM with Chris Steffen, Research Director at Enterprise Management Associates, Adam Fletcher, CISO at Blackstone Group, Bruce Schneier, internationally renowned security technologist at Harvard Kennedy School, and Dave Stapleton, CISO at CyberGRX.

Understanding the Current Risk Environment

Despite the proliferation of attacks via third-party vendors, organizations aren’t letting fear prevent them from forming new partnerships. The key, as Adam Fletcher explains, is to be proactive. “We give ourselves more chances to review the risk. We request a review of the risk they present and use tools that provide rapid data and information, which gives us a first look. And that can highlight issues.”

To save time and effort during the risk management decisions, proactive companies are also being reasonable about the risks different vendors pose. 

Bruce Schneier explains it this way: “The third-party vendor that delivers copy paper is probably relatively low risk. But your human capital management system, which has sensitive PII (personally identifiable information) about all your employees may present more risk. So you have to work with a steering group for third-party risk, so you can draw a line in the spectrum to determine how much attention to give each potential vendor.”

Naturally, once you grasp the risk environment, you have to answer the question of who’s responsible for addressing it.

Who Is Responsible for Addressing Cyber Risk?

Although cybersecurity experts have the knowledge, it’s the business decision-makers that push the buttons. Therefore, as Bruce Schneier explains, “It’s our (as cybersecurity professionals) job to educate decision-makers.”

In addition, successful organizations embrace a culture shift when it comes to how they view the role of security personnel.

Chris Steffen says it’s key to transition away from seeing IT security as “the organization of ‘No’” and to “have a more collaborative approach.” This requires frank discussions about a shared responsibility model and what that means for everyone involved. When these structures aren't put in place, Steffen explains the impact this way: “Ninety-nine times out of 100, the problem behind a breach comes from the shared responsibility model and people not doing what they were supposed to do.”  Organizations can't just delegate cybersecurity to cloud service providers (CSP) or other third-party providers. Each party must do their part, but ultimately it's your responsibility to manage risk and protect your data.

Regardless of how teams work together, thanks to technology, we're experiencing an evolution in how companies meet the TPCRM challenge.

Evolving Approaches

According to our panelists, the future will be defined by an even more proactive stance. 

Merely relying on third parties to provide adequate risk data can be problematic. “We need to turn to sources of information that don’t require interaction with the third party,” said Dave Stapleton. Threat monitoring and artificial intelligence can play a role in this arena as well. 

As Stapleton points out, “CyberGRX has released a machine learning tool that lets you see how a vendor may answer an assessment questionnaire.” He goes on to mention that while it’s preferable to have an ongoing relationship with a vendor, “we do have other options to rapidly obtain actionable data in lieu of an assessment, including attack scenario analytics.”

Taking a More Proactive Stance with TPCRM

At the end of the day, it’s about managing third-party risk, not merely assessing it. This means you have to be aggressive. 

Cybersecurity leaders need to have a seat at the decision-making table and leverage threat intelligence, machine learning, and advanced analytics to streamline TPCRM. Learn more by connecting with CyberGRX for a demo today.

Book Your Demo


Join 5,000+ risk professionals who subscribe to the CyberGRX Newsletter