After a Bad Year in Third Party Risk, Let’s All Turn the Page

Third Party Risk - Airline-1

Change Healthcare, Delta Airlines, AutoNation, Ticketmaster, Okta…2024 was just an awful year for third party or supply chain cyber disasters, malicious or accidental. (You can relive them all at our website How Material Is That Hack?). In 2024, third parties became the number-one threat vector. 

Pankaj Goyal - FAIR InstituteAs FAIR Institute Director of Research Pankaj Goyal  wrote in a blog post earlier this year, let’s kill TPRM as it’s conventionally practiced – it’s clearly not working - and move on to a new set of risk management best practices developed by the FAIR Institute: FAIR-TAM (Third Party Assessment Model) an extension to the FAIR model, the standard for quantitative cyber risk analysis.

Pankaj recently made the case for FAIR-TAM in a webinar hosted by SIRA (The Society of Information Risk Analysts), and we’re presenting a summary of his remarks as a public service for any risk managers struggling to get their arms around cyber loss exposure from vendors and other partners  (who can number in the thousands at a large organization).

State of TPRM: “Noseblind”

Pankaj led with a quote from Alla Valente, Senior Analyst at Forrester: the state of TPRM is “mostly noseblind,” that condition when your sense of smell gives out from sensory overload. The Forrester Business Risk Survey for 2023 found that third-party was the lowest in priority for cyber risk management and those that were assessing for TPRM were covering less than half their partners. Survey respondents said their TPRM programs lacked budget, lacked staff, lacked tools…

5 Steps to TPRM Failure

The FAIR Institute’s research into supply chain risk management has identified these five blockers, all of which can be traced back to tools and methods that simply aren’t up to the task of managing a large and dynamic third-party risk landscape. 

TPRM - CISO Problems

So, What’s the Better Way?

Pankaj and the developers of FAIR-TAM started by asking CISOs for their need-to-know questions, then set out to answer them: 

TPRM - CISO Questions

The first big revelation that the team achieved: 

“Third Party Risk Is First Party Risk”

In other words, consider that your attack surface also wraps around your third parties. It’s a powerful, clarifying insight that brings third party risk management into the well-established  domain of FAIR cyber risk analysis. 

What Is FAIR-TAM?

It’s pretty simple, really. Here’s the money chart from Pankaj:

TPRM - FAIR TAM Framework

Risk-based prioritization leverages FAIR to quantify third party risks on par with first party - and identifies the third parties that matter, solving the prioritization problem. 

Comprehensive, continuous monitoring with inside-out telemetry fixes the limitations of the conventional tools, 1) questionnaires that give a point-in-time view of risk and 2) outside-in scans that give a limited view of a third party’s controls. 

Actionable risk mitigations identified by the preceding two steps and enabling a cooperative effort to burn down risk by first party and third party united.

Shortcut: FAIR Institute Identifies the Top 10 Controls for TPRM

It’s research in progress but the team has examined 100 third-party breaches and found the 10 controls that would significantly reduce third-party risk and should be priority for initial third-party assessments. More to come soon. 

Could FAIR-TAM Have Made 2024 a Better Year for Third-Party Risk Management?

Yes! Arguably, the massive Change Healthcare breach and outage could have been averted with a FAIR-TAM analysis that revealed the risk of this single point of failure in the healthcare payments system - and the inadequate controls at Change. 

TPRM - FAIR TAM - Healthcare

Ditto for the CrowdStrike software flaw that took down Delta Airlines and so many other organizations – in the spirit of treating third-party as first-party risk, the CrowdStrike victims might have built in their own redundancies. 

TPRM - CrowdStrike - FAIR TAMRemember that Forrester survey that found organizations were only assessing the risk of only half their partners (if that)? Prioritization through risk quantification is the answer, Pankaj said.

Screenshot 2024-10-29 at 10.33.36 PM

In summary, out with the old…

TPRM - Old vs New

As Pankaj concluded: 

“We can fix this!”


Learn more:

Forrester’s Alla Valente and Cody Scott presented at the 2024 FAIR Conference. Watch a video of their talk on the State of the Third Party Risk Management Market

Get involved with TPRM research at the FAIR Institute. For more information and any questions about FAIR-TAM, please contact Pankaj Goyal, Director of Research and Standards, through the Contact Us Form

 

Learn How FAIR Can Help You Make Better Business Decisions

Order today
image 37