The Future of TPCRM: Cyber Risk Assessments in the Cloud

by CyberGRX

IT Delivery Model: A Brief History

Approximately every few decades, engineers disrupt the information technology delivery model. In the 1950s, we experienced the mainframe – a massive, powerful machine that completed any and all processing by dumb terminals that connected to it. In the 1980s, we experienced the client-server model in which personal workstations, the “client”, and server systems interacted to form a network that connected multiple users. The client depended on the server for data and software.

In the 2000s, the cloud computing model became increasingly popular whereby a user had convenient network access to a shared pool of data and technology with minimal administrative effort required. IT consultants and security professionals consider these delivery types as distinct, yet all three models share close characteristics with each other. Nevertheless, it is the cloud computing model indeed, that is the dominating information technology delivery model today. So, why cloud – and furthermore, why cloud risk assessments?

Why Cloud?

From a Software as a Service (SaaS) perspective, companies experience a lower total cost of ownership, a more rapid pace towards innovation and an overall better user experience.

Businesses are able to operate required software without a technological footprint, thereby eliminating both hardware and maintenance costs while simultaneously experiencing faster implementations and usages of new software. Businesses are no longer required to spend time testing changes to existing software or running software in parallel with existing production instances, but rather are able to take advantage of new functionality and bug fixes immediately. In the client-server software model, these testing phases often took years at larger companies. And because of this speed towards digital transformation, cloud computing ensures the use of latest technology, which in turn equates to a better overall user experience.

Third Party Cybersecurity Risk Management (TPCRM): A Brief History

The concept of “third party risk management”, the process whereby a company manages its relationship with another business that currently facilitates its own business to operate effectively, has existed for over 100 years. Since the Industrial Revolution, manufacturers recognized the importance of their suppliers as a critical factor of their success and therefore had to be sure to manage and maintain good relationships with those suppliers.

As we entered the Information Age, the notion of a “third party” expanded to not only the supplier in the manufacturer/supplier relationship paradigm, but also to any business that provides supporting goods and services to an enterprise, including subsidiaries, business partners and commercial customers and as such, “third party management” expanded in both scope and criticality.

The term “third party risk” became mainstream in the financial services industry when the Office of Comptroller of Currency (OCC) issued the Banking Circular OCC Bulletin 2013-29, requiring all regulated banks to assess and manage risks associated with third parties.

In the Information Age, third-party risk management is not only required by financial institutions, but spans all industries and encompasses many different types of risk – financial, reputational, regulatory, operational- to name a few. Third party risk also includes technology or cyber risk which has led to coining of the term “third-party cybersecurity risk”. The OCC Banking Circulars have referenced third-party cybersecurity risks as early as 1985, using the term “data servicers” and continued to do so, providing a security framework for national banks and their technology service providers. 

Historically, third-party risk management started with solely conversations – procurement employees talking to their suppliers. As companies began to outsource more processes to third parties to meet market demands, businesses developed third-party risk management policies. Companies supported these policies with documentation. Next, businesses began to use office software to ask third parties questions about their businesses; hence, came spreadsheets and emails. Questionnaires became lengthier, filled with inquiries and documentation requests. As software technology delivery models changed, questionnaires soon began to change focus- focusing predominantly on third-party cybersecurity risk, or, Third-Party Cyber Risk Management (TPCRM). 

Shockingly, present-day TPCRM programs still include the use of spreadsheets and emails. Companies with the most mature programs have integrated third-party cybersecurity risk management, in some capacity, into their enterprise risk management platform, whether it is by generating the third party questionnaire from their platform or integrating third party risk results back into their platform. The problem is that most risk management solutions are still in the process of moving to the cloud and if it is the case that the solution does exist in the cloud, the third-party cybersecurity risk information is not fully integrated. 

Why Cloud for TPCRM? Cloud Risk Assessments

It is no wonder why companies have moved their critical applications to the cloud over the last decade.  Companies need and can have access to information at any time and do so very easily using a URL on an array of devices (laptops, iPads, smart phones). Managing third-party cybersecurity risk has become essential for companies as they outsource more processes to third parties to meet market demands, regardless of the company’s industry or function.

So, if you are a third-party cybersecurity risk practitioner, why wouldn’t you want the same conveniences that other workers experience in their business domains from cloud computing? Shouldn’t you have the same effortless access to meaningful information, more specifically third party cybersecurity risk information, at anytime and anywhere with a greater user experience? It’s time to demand more from your TPCRM program – the CyberGRX Exhange has over 90,000 companies working together to pinpoint and mitigate risk on the cloud.