Actionable Third-Party Risk Management (TPRM) - Part 3

This post is Part 3 of 3 in a series on actionable TPRM. 

Read Part 1 and Part 2 in the series

Quantifiable Third-Party Risk 

It’s both exciting and daunting to work in Cyber Risk Quantification and TPRM. Quantifying third-party risk is a crucial step forward for a risk area that has traditionally relied on auditor and qualitative assessments, with risk scenario analysis playing only a minor role. There are many reasons for this, as previously mentioned, but quantification must become a part of the process for evaluating third-party risk.

About the authors

We are saddened to relate that co-author Denny Wan, a longtime and passionate member of the FAIR Institute community, recently passed away. Read more about Denny. 

Co-authors Gregory C. Rasner, is author of the recent book Cybersecurity & Third-Party Risk: Third-Party Threat Hunting and Andrew Shea is founder of the CRFQ advisory firm.

One of the least discussed yet most important aspects of implementing cyber risk quantification using the FAIR open standard is that, across all risk scenarios, third parties influence both the likelihood and impact. This fact is not explicitly addressed in the FAIR standard. To address this, the Third Party Risk Work Group was established. 

This group has made significant progress in examining risk scenarios involving third parties, identifying controls that most effectively reduce the likelihood and impact of these scenarios, and determining how to quantify third-party risk. Currently, the primary approach is to analyze the risk scenario for the third party and then use that data to inform the risk scenario for the “first party.” 

To make this exercise meaningful, understanding the business and technical role of the third party is essential. It is also important to understand the financial context of the third party, such as whether it helps generate revenue, is part of a platform that delivers to the customer, or hosts financial applications or data.

Additionally, we need to evaluate controls consistently across both first and third parties using measurable approaches. Jack Jones's exceptional work with FAIR-CAM provides a foundation for assessing control effectiveness across multiple organizations and understanding how well these joint control sets decrease the risk of an event. Estimates can be generated using external empirical data (from your existing continuous monitoring vendor, joint risk analysis/tabletop) and/or calibrated by internal and third-party SMEs. Most TPRM programs evaluate controls using a qualitative method, such as control maturity scores ranging from 1 to 5. This approach is problematic for quantification and requires improvement.

In the words of Jack Jones, “The bottom line is that simply measuring your organization’s cybersecurity program using common control or maturity frameworks doesn’t give meaningful insight into which controls are most or least valuable. When organizations can't reliably understand the value they get from their risk management investments, they can't tell if they are overspending, underspending, or misallocating resources.”

FAIR-CAM is now integrated into several CRQ and TPRM platforms, and we anticipate a significant growth in the number of users. 

Checklist: Get Started with Actionable TPRM 

• Identify the third parties that have the most significant impact on your revenue. 
• Start with three to five organizations where you have the strongest engagement, the most contextual understanding, and access to your organization. 
• Set up a tabletop session to review the risk scenario — for example, an external threat actor gains access to the third party via targeted phishing, conducts reconnaissance for credentials to your organization, finds them, and gains access to your environment, then accesses your customer database, encrypts it, and exfiltrates customer data - as well as the controls currently in place to prevent unauthorized access to your network. 
• Identify and evaluate the controls—both missing and existing—at both organizations that enable zero trust, which will reduce access, privilege escalation, and lateral movement. Use FAIR-CAM to assess the effectiveness of these controls. 
• Use that data to inform the likelihood analysis of the risk scenario. Incorporate non-existent zero-trust controls to evaluate how their implementation reduces the likelihood and impact of the scenario. 
• Finally, collaborate with the third-party partnership owner to determine how to leverage the exercise results to modify contract costs, language, and, where appropriate, service level agreements.

Learn about FAIR-TAM, the FAIR approach to third-party risk assessment.