The Big CrowdStrike Fail: Lessons for Third-Party Cyber Risk Management (TPRM)
Cyber risk is now a whole-of-business risk, not just a technical problem, and as the massive CrowdStrike outage shows us, third-party is one of the most insidious cyber risks to business - and society - today.
As CrowdStrike tells the story in its official statement, an update to its Falcon sensor passed numerous tests before deployment, yet went out with a defect that caused eight million Windows machines to crash, taking down airlines, hospitals, 911 call centers, TV broadcasters and more. Crowdstrike and Microsoft had created a single point of failure and made the world a victim of their success, so to speak.
CrowdStrike must have an open door for rapid delivery of updates to “quickly adapt to emerging threats,” the company said in its statement. Yet it also pledged to create a long list of checkpoints in the supply chain: strengthen error handling, stagger deployment, multiple independent third-party code reviews, etc.
At the FAIR Institute, our major focus this year has been on developing a fresh approach to third-party risk management, FAIR-TAM, the FAIR Third-Party Assessment Model, based on FAIR, the standard for assessing cyber risk in the financial terms the business needs to know.
FAIR-TAM makes a critique of TPRM as it is now generally practiced, with outside-scans of third parties that give only a partial view of the third party’s controls - or questionnaires that are updated once a year.
FAIR-TAM advances a new set of best practices to manage third party risk whether malicious or, in the case of CrowdStrike, non-malicious and delivered by a trusted partner.
Tier your third parties based on a quantified view of the risk they pose to your data, network and revenue streams (especially single points of failure) and target risk management accordingly. CrowdStrike, with network access and revenue dependency would definitely have shown up as Tier One in this process. Large corporations may do business with thousands of vendors; they must prioritize.
Build a collaborative relationship with supply chain partners. As the CrowdStrike case shows, first and third parties are in this together and must cooperate to succeed in security. That could include a continuous API connection from third to first parties to monitor the status of controls – or an agreement to update the questionnaire for better TPRM (that list of checkpoints from CrowdStrike might be a discussion-starter).
Treat first- and third-party risk management as a continuum. In effect, supply chain partners can hit your attack surface. You need to respond with zero-trust tactics and have a clear picture of what controls face partners and the current status of those controls. See FAIR-CAM, the FAIR Controls Analytics Model.
“My concern is that we’re on the cusp of a crisis of confidence in this digital infrastructure that we’re all so reliant upon,” Chris Krebs, the former chief of CISA told The Wall Street Journal. Get out ahead of the trend - rethink your cyber third-party risk management.
Learn more about FAIR for third-party risk management (TPRM)