This article is first of a series aimed at debunking myths and providing FAIR and TPRM professionals with the connections and advice needed to take action on their third-party risk.
Why are we emphsizing “actionable”? Because the statistics in this space require urgent action.
Consider these points:
About the authors
We are saddened to relate that co-author Denny Wan, a longtime and passionate member of the FAIR Institute community, recently passed away. Read more about Denny.
Co-authors Gregory C. Rasner, is author of the recent book Cybersecurity & Third-Party Risk: Third-Party Threat Hunting and Andrew Shea is founder of the CRFQ advisory firm.
A longstanding myth in the cybersecurity field says there is insufficient data and math for quantifying cyber risk. Most readers of this blog, given its focus, will likely already be familiar with this myth and its proponents. These supporters still include teams that perform qualitative analysis, categorized as High, Medium, and Low.
An excellent book How to Measure Anything in Cybersecurity Risk changed many minds about quantitative risk analysis. Later, programs and processes from groups like the FAIR Institute made this analysis repeatable and manageable. The myth that there's a lack of data or processes for quantification is dispelled for those willing to look and do the math.
Today, decisions are best based on the financial impact and likelihood of risk rather than arbitrary labels like High, Medium, or Low, leading to better outcomes.
For these reasons, we believe that conducting joint risk scenario analyses with key providers is crucial to understand the financial risks of top threats, how controls help manage those risks, and what mitigation activities can be done independently or together to lower risks to desired levels.
The second myth we often encounter is that you cannot take any action to gain control of your third-party risk, an argument most often advanced by our cyber colleagues in other domains besides TPRM.
Organizations (such as the Third Party Risk Association) and resources (such as Cybersecurity & Third-Party Risk: Third-Party Threat Hunting ) dispel this myth and provide plenty of ways for risk professionals to act. Simple steps include making an inventory of your third parties, grouping them based on the products and services they offer, taking a risk-based approach, adopting a framework, and ensuring there is a process and program in place to address the risk.
The third myth is that there is no proven framework for executing cyber risk quantification for both first- and third-party risk. That is not true. The FAIR Institute’s Open FAIR model is supported by over 17,000 members, including representation from more than 50% of Fortune 100 companies.
Several years ago, the FAIR Institute sanctioned the development of the FAIR-TAM (Third-Party Risk Assessment) standards body to create an Open FAIR-based standard; The objective of FAIR-TAM has been to utilize cyber risk quantification to help evolve third-party risk management. This work, along with the release of the FAIR Framework for Cyber Risk Management (CRM), introduces a strategic evolution of third-party risk management practices through the integration of the FAIR model, the FAIR-MAM materiality framework, and the Cyber Risk Scenario (CRS) taxonomy.
The FAIR cyber risk scenarios taxonomy, CRFQ, and Reasonable Security have identified eight risk scenario types (grouped using the CIA triad), providing a means to quantify risk consistently. These eight risk scenario types form a foundation for creating joint risk scenarios that can be used with third parties to quantify the likelihood and impact of risk scenarios.
Through this analysis, we gain a clear understanding of the controls that must be implemented to ensure a robust Zero-Trust model that protects both parties. Additionally, the analysis will provide critical ROI—articulated in terms of reduced likelihood and impact—to support the implementation of new controls or the maturation of existing ones.
In Part 2 of the series, we will cover: