ESAF Report: CISOs Want “Bold New Approaches” to Third Party Risk Management

RSA Conference’s well-respected community for CISOs, the Executive Security Action Forum (ESAF), recently issued a report How Top CISOs Are Transforming Third-Party Risk Management, a critique of TPRM that’s right in line with the FAIR community’s development of the FAIR Third Party Assessment Model (FAIR-TAM™). (See a chart from the report above.)

In a recent survey, RSA Conference found that 87% of Fortune 1000 companies were affected by a significant cyber incident at a third party in the past 12 months. “Traditional third-party risk management in information security is ineffective,” the report finds, naming “self-assessment questionnaires, cybersecurity rating services, and compliance framework reports like SOC 2…They do not reduce risk, do not provide an accurate measure of security posture, and do not help third parties to improve their security.”

“Motivated by escalating risks, ESAF CISOs are taking bold new approaches,” focused on managing risk versus focusing on compliance.  

Our New Approach: the FAIR Third Party Assessment Model (FAIR-TAM™)

FAIR community members have collaborated to re-think TPRM, creating a new use case that leverages the proven value of FAIR and related standards. Three key features are:

1.  Risk-based prioritization

Tier your supply chain partners based on a FAIR assessment of your loss exposure for the third party. That risk can be analyzed using the FAIR Materiality Assessment Model (FAIR-MAM).

2.  Comprehensive, continuous monitoring

Use inside-out telemetry from first and third parties as they access your network, reporting on a continuous basis through automation. Gauge the breach likelihood for these actors with the FAIR Controls Analytics Model (FAIR-CAM).

3.  Actionable Mitigations

Prioritize risk mitigations by the third parties based on their effectiveness in reducing risk with FAIR-CAM.

Also, apply Zero Trust Principles to TPRM to prioritize your own first party risk mitigations , assuming that third parties will be breached.

How to Use FAIR-TAM to Meet the ESAF CISOs Goals for Third Party Risk Management

The ESAF recommendations include:

>>Give third parties a set of top-priority security requirements…looking at what controls have yielded the most risk reduction for the company’s own security program.” With the FAIR Controls Analytics Model (FAIR-CAM™), organizations get definitive, quantitative answers on the effectiveness of their controls for risk reduction.

>>“Verify the security controls for priority requirements…Rather than relying on third parties’ self-assessments, especially for critical suppliers, companies are asking for evidence of security controls.” Here again, organizations can use FAIR-CAM to inventory and assess the value of controls.

>>"Reduce the impact of third-party incidents…minimize business disruption if a supplier is inoperative due to an attack.” FAIR-TAM’s guidance on tiering third parties applies here.

>>"Add incentives and enforcements to contracts…Changes to contracts include setting targets for security improvements or the implementation of specific controls.” With FAIR-CAM, first parties can set quantitative targets for third parties.

>>"Establish processes to increase business leaders’ role in managing third-party cyber risks…With this approach, Security provides detailed information on cyber risks to business leaders who are then accountable for properly weighing the risks in forming relationships with third parties.” FAIR is the recognized standard for security teams to report to business management in the financial terms that management requires for proper decision-making.

>>"Provide advanced security services to third parties.” FAIR-TAM advocates for increased information sharing among first and third parties via telemetry and APIs.

Learn more about FAIR-TAM and improving third party risk management at your organization in these blog posts:

The Journey to Third Party Risk Management Maturity

Let’s Kill TPRM

Join us at the FAIR Institute as we develop FAIR-TAM through our Supply Chain Risk Workgroup – we welcome your participation in this important effort. Join the FAIR Institute.

Learn How FAIR Can Help You Make Better Business Decisions

Order today
image 37