Change Healthcare, Delta Airlines, AutoNation, Ticketmaster, Okta…2024 was just an awful year for third party or supply chain cyber disasters, malicious or accidental. (You can relive them all at our website How Material Is That Hack?). In 2024, third parties became the number-one threat vector.
Pankaj recently made the case for FAIR-TAM in a webinar hosted by SIRA (The Society of Information Risk Analysts), and we’re presenting a summary of his remarks as a public service for any risk managers struggling to get their arms around cyber loss exposure from vendors and other partners (who can number in the thousands at a large organization).
Pankaj led with a quote from Alla Valente, Senior Analyst at Forrester: the state of TPRM is “mostly noseblind,” that condition when your sense of smell gives out from sensory overload. The Forrester Business Risk Survey for 2023 found that third-party was the lowest in priority for cyber risk management and those that were assessing for TPRM were covering less than half their partners. Survey respondents said their TPRM programs lacked budget, lacked staff, lacked tools…
The FAIR Institute’s research into supply chain risk management has identified these five blockers, all of which can be traced back to tools and methods that simply aren’t up to the task of managing a large and dynamic third-party risk landscape.
Pankaj and the developers of FAIR-TAM started by asking CISOs for their need-to-know questions, then set out to answer them:
The first big revelation that the team achieved:
“Third Party Risk Is First Party Risk”
In other words, consider that your attack surface also wraps around your third parties. It’s a powerful, clarifying insight that brings third party risk management into the well-established domain of FAIR cyber risk analysis.
It’s pretty simple, really. Here’s the money chart from Pankaj:
Risk-based prioritization leverages FAIR to quantify third party risks on par with first party - and identifies the third parties that matter, solving the prioritization problem.
Comprehensive, continuous monitoring with inside-out telemetry fixes the limitations of the conventional tools, 1) questionnaires that give a point-in-time view of risk and 2) outside-in scans that give a limited view of a third party’s controls.
Actionable risk mitigations identified by the preceding two steps and enabling a cooperative effort to burn down risk by first party and third party united.
It’s research in progress but the team has examined 100 third-party breaches and found the 10 controls that would significantly reduce third-party risk and should be priority for initial third-party assessments. More to come soon.
Yes! Arguably, the massive Change Healthcare breach and outage could have been averted with a FAIR-TAM analysis that revealed the risk of this single point of failure in the healthcare payments system - and the inadequate controls at Change.
Ditto for the CrowdStrike software flaw that took down Delta Airlines and so many other organizations – in the spirit of treating third-party as first-party risk, the CrowdStrike victims might have built in their own redundancies.
In summary, out with the old…
As Pankaj concluded:
“We can fix this!”
Learn more:
Forrester’s Alla Valente and Cody Scott presented at the 2024 FAIR Conference. Watch a video of their talk on the State of the Third Party Risk Management Market.
Get involved with TPRM research at the FAIR Institute. For more information and any questions about FAIR-TAM, please contact Pankaj Goyal, Director of Research and Standards, through the Contact Us Form