Third-Party Risk Assessments: Are They Effective Cyber Risk Intelligence Tools?
It’s the million dollar question every cybersecurity practitioner has in the back of their minds…do third-party risk assessments still work?
While some might be thinking, “yes, of course,” Gary Phipps, VP of Risk Solutions at CyberGRX, has a slightly different take. His response? “Yes, they work, but—.” But what, Gary?
What are the shortcomings of the traditional risk assessment process?
“Risk assessments were designed for a specific purpose and they work for that purpose,” says Gary. “But when an organization uses the same tool for everything– beyond what it was intended for– it’s no longer effective. As an example, using lengthy assessments as part of the onboarding process or mid-cycle review for high-risk vendors, or to triage application vulnerabilities– organizations end up using the same tool for every interaction and it’s just not an effective application for what they’re trying to accomplish,” said Gary. “In a quickly changing environment, you need something faster and more efficient,” he clarified.
So if a traditional risk assessment isn’t the answer, what is?
Shifting Assessment Focus from Gathering Information to Actioning It
The objective of the assessment process is to make it easier for both the customer and the third party, as well as more effective. Predictive intelligence capabilities enable security practitioners to quickly identify particular deficiencies or controls based on the purpose and use of that application. In contrast, a traditional risk assessment is about trying to gain information about a third party that puts you at risk.
“There’s a better way,” explained Gary. “The CyberGRX Exchange crowdsources information on third parties. We help you find the information you’re after based on how you’re using that service provider, then we identify the specific deficiencies we believe that third party may have and highlight the implications to you. This means instead of engaging in a lengthy questionnaire, you can now ask more focused questions that pertain to the risk that a specific vendor poses. Predictive intelligence means you can get on with the business at hand instead of a drawn out process,” he explained.
Improving the Efficiency of Risk Assessments
It’s to everyone’s advantage to improve the risk assessment process– overworked and overloaded security and risk teams can focus on more strategic work, and third parties will spend less time completing lengthy and redundant assessment questions.
“Everyone is doing a pretty good job of asking the same questions, but we’re not asking the most important ones up front– it’s about efficiency,” Gary said. “Take care of the things that are critical to you and your organization’s risk posture. We want you to focus on the things that only you can respond to, and make decisions appropriate for your organization.”
Listen in to the full interview with Gary Phipps and Chuck Harold, Executive Producer at SecurityGuyTV.com:
And if you’d like to meet Gary in person and debate the subject of risk assessment effectiveness, visit CyberGRX at BlackHat 2022, booth 2650, or request a CyberGRX demo now.
Get Cyber Risk Intel delivered to your inbox each week: