Let’s be honest - the way third-party risk is perceived and managed hasn’t changed in more than a decade. Third-party cyber risk management (TPRM) is manual, questionnaire-based, and ultimately a check-the-box compliance effort! And this is even when the attack surface and cybersecurity risks are continuously evolving and expanding.
Despite having a fleet of tools at their disposal, CISOs and TPRM practitioners are unable to answer the basic questions: “What is the most critical third-party risk, and how efficient is your program in managing that risk?”
Authors:
Pankaj Goyal is Research Director for the FAIR Institute.
Vince Dasta is Senior Partner - Risk Strategy at Safe Security, technical adviser to the FAIR Institute
Ask any CISO, "Do you truly understand your cyber third-party risk, vendor risk or supply chain risk?" Most will answer no. They lack visibility – and confidence.
Ask any TPRM practitioner - "How is your program working?" You will hear “exhausting,” “no one cares,” 'I am just a process guy,” 'I am just chasing everyone else” as responses.
How have we reached this point? An industry that started 10 years ago has not changed a bit.
>>We are relying on outside-in scans, old technology, that is more noise than signals and
>>Static, manual, point-in-time questionnaires to assess a highly dynamic environment.
How can we solve it?
First Principles thinking - that's what Third Party Risk programs are missing. Let’s take TPRM back to the drawing board.
5 Top Tactics to Reimagine TPRM
1. Tier Your Third Parties based on a scientific, risk-driven method instead of arbitrary numbers. You can't focus on 5,000 third parties, you can focus on 50. How can you do that? Understand your data, network, and revenue exposure to a third party, quantify it.
2. Treat third parties as your attack surface. Apply Zero Trust Principles to TPRM. How are you managing data access, network access and revenue dependency towards your third parties? In a bad neighborhood, you protect your house first, and then try to fix the neighborhood.
3. Get inside-out, real-time telemetry from the environments of your most critical vendors. You can do it in a non-intrusive way. This real time telemetry will help you to truly understand the risk posture of your third parties in different risk scenarios. Outside-in scans are insufficient.
4. Run Active Risk Management - not Passive Risk Management. Fix your native controls first, then work with your vendors to mutually improve controls.
5. Automate, automate, automate. There are many ways to reduce redundant and manual work in the TPRM process. Start by applying LLMs to automate questionnaires.
Re-think TPRM, or just kill it. It is not working today.
The FAIR Institute is developing a solution to the puzzle of third-party cyber risk management with an extension to the FAIR model: the FAIR Third Party Assessment Model (FAIR-TAM).
FAIR-TAM combines the FAIR Model plus FAIR-CAM to gauge likelihood of breach attributable to a third party and FAIR-MAM to assess the first-party impact to your organization by a third party based on access to servers, data, or revenue. Learn more in this blog post: The 3rd Party Risk Crisis – A FAIR Solution.
Join us at the FAIR Institute as we develop FAIR-TAM through our Supply Chain Risk Workgroup – we welcome your participation in this important effort. Join the FAIR Institute!