As the SolarWinds incident earlier this year reminded us, we’re only as secure as our vendors. But finding a window into third-party risk is notoriously difficult. Josh Malnourie, Information Security Advisor at Blue Cross Blue Shield of North Dakota (BCBSND), has been working the problem with FAIR™ techniques for several years, and will share a third-party risk management success story at FAIRCON21:
“Case Study – Just Quantify It: Make Better Business Decisions for Third-Party Risk Management” 2:30-3:00 PM, Tuesday, October 19, with co-presenter Bob Maley, Chief Security Officer at Black Kite.
Josh calls himself “a recovering IT change manager” with seven years experience in IT and another seven in security, including application development, risk management and most recently quantitative third-party risk analysis.
Learn more and register for the 2021 FAIR Conference. Tickets are free until Oct. 1 for FAIR Institute members!
What’s been your experience with FAIR and third-party risk?
We got introduced to FAIR around 2017. We took a little different path than some other folks and started off attempting to quantify the risk associated with third parties.
When a lot of your data starts going elsewhere, you start doing a lot more reviews. We ended up doing on-sites, and you can only do so many of those a year. You’ve got to find a better way to do things.
That was our introduction to FAIR and we’ve been working on quantified third-party risk assessments since then. We now have matured to point where we are starting to be able to have some financial thresholds around what we will accept and not accept.
What’s one key point you would like us to take away from your FAIR Conference session?
That virtually all organizations can quantify third-party risk at scale. That’s what we’ve learned going through this process.
What are the challenges to overcome? Isn’t data the problem?
As security professionals, we are used to, “Give me all the data and I want to follow up on a lot of those pieces.” When it comes to using statistical methods with many third parties, you step back a little bit and say, "I can’t investigate 100 or 200 third parties; it’s not scalable.”
Knowing where to focus your attention when you’re doing a third-party FAIR assessment is a key skill, knowing when to not get into the forest.
For us, it’s about getting large amounts of data about the third party using some of the tools that are out there today. Not all of it is 100%, but you can start looking for patterns in that data and getting an understanding of how secure they look and how we should approach our program.
What’s your view on the state of cyber risk management? How are we doing?
I think we have a tough job, but I also try to remind myself that, I suspect, we are in a similar spot to the insurance industry back when they were trying to figure out how to make these good guesses. It took a lot of time - and we haven’t been doing this very long, so we have to keep that in mind and realize now that using techniques like FAIR, based on empirical data, is really important. I think we are making progress, so I am hopeful because of that. But I still do think we have a lot of work ahead of us.
Learn more and register for the 2021 FAIR Conference. Tickets are free until Oct. 1 for FAIR Institute members!
