Making OT Third-Party Risk Measurable: A FAIR-Driven Approach
Alexander Antukh (left) and Gaston Pumar
At the 2025 FAIR Conference, Alexander Antukh, CISO, and Gaston Pumar, Global Head of Security Governance at AboitizPower, offered a pragmatic—and very pointed—reframing of third-party risk management (TPRM).
Grounded in FAIR quantitative principles and confronting the realities of operational technology (OT), their message was clear: most TPRM programs are not solving the problem they were designed to address.
Watch the FAIRCON25 Session on Video
Instead, Alex and Gaston proposed a shift from vendor-centric thinking to enterprise impact, from performative compliance to measurable outcomes, and from prevention to resilience.
Key insights:
Vendor Risk Is Not Enterprise Risk
One of the most pointed observations in the session challenged a core assumption in TPRM: that assessing vendor security posture is the same as managing enterprise risk.
The speakers introduced the concept of “bridge probability”—the likelihood that a compromise of a vendor actually propagates into your environment. This reframes the problem entirely. Risk is no longer just about how secure a vendor is, but about how that vendor connects to you, what access they have, and how failure travels across that boundary.
As Gaston said, “I don’t want to be cynical, but I don’t care about the vendors. I care about what happens within our defenses.”
The priority shifts from vendor scorecards to architecture—segmentation, access pathways, and trust relationships. In other words, the control plane you own matters more than the posture you observe.
In OT, Start with Consequences—Not Likelihood
The second major theme reflects the realities of OT and critical infrastructure environments. Here, the most damaging events are often low probability but high consequence—a dynamic that breaks traditional risk thinking.
Rather than asking, “How likely is this?” the approach becomes:
- Assume compromise will happen
- Identify worst-case outcomes
- Engineer systems to limit impact
“We always assume that the adversary will penetrate the network, regardless of the likelihood,” Alex said. “We start with the consequences and work backwards.”
This is a shift toward consequence-driven, cyber-informed engineering, where resilience—not just prevention—is the goal. It also expands the control set beyond cybersecurity into physical and engineering safeguards, such as fail-safes, shutdown mechanisms, and operational redundancies.
For CISOs, this requires a broader lens:
- Design for failure, not just defense
- Invest in detection, containment, and recovery
- Partner more closely with engineering and operations team
Quantification Changes the Conversation
A third key insight of the discussion focused on the practical value of FAIR-based quantification. Moving from qualitative ratings to financial exposure unlocks decisions that are otherwise difficult—or impossible—to make.
With quantified risk, organizations can:
- Tie vendor relationships to measurable financial impact
- Negotiate liability clauses based on exposure
- Evaluate tradeoffs, such as hiring staff vs. investing in segmentation
- Communicate clearly with boards and executives
In this model, TPRM becomes less about compliance tracking and more about economic decision-making—where risk is something to optimize, not just document.
A More Realistic Operating Model
The session closed with a simple but grounded principle:
“Vendors will fail, so let’s plan for that. Let’s make them fail gracefully,” Gaston said.
That idea captures the broader shift. Dependency is unavoidable. The goal is not to eliminate risk, but to control how it manifests and how much it costs.
For CISOs, the path forward looks different from traditional TPRM:
- Accept dependency rather than overestimating control
- Engineer resilience into systems and architectures
- Focus on what you control, not just what you assess
- Quantify risk to drive better decisions
In a landscape shaped by interconnected systems, supply chain complexity, and OT realities, this approach moves TPRM closer to what it was always meant to be: a discipline for managing real business risk—not just evaluating vendors.
Measure and manage third-party risk with FAIR-TAM
