First- and Third-Party Risk Management: It’s Time to Unite
It has become very apparent that there is a current challenge in the cyber risk management industry: namely, that first-party and third-party risk are siloed and often approached fundamentally differently.
Chad Weinman is a veteran FAIR practitioner and VP, Risk Strategy & Success, for Safe Security
Let’s look at a recent observation (anonymized to protect the innocent). I was speaking with a CISO who explained that they wanted to understand and effectively communicate the cyber risk associated with online banking. This CISO noted that the first-party risk team used FAIR to clearly define, measure, and communicate risk using Likelihood, Impact, and Annualized Loss Exposure in quantitative values.
However, the next week the third-party risk team stopped by to share that nearly a dozen third parties also support online banking. The risks they presented were defined, measured, and communicated completely differently (instead of Likelihood and Impact, the third party's risk was expressed as a qualitative score).
Let’s pause and look at this situation as a security leader over a line of business (online banking).
While I will not shy away from my long standing belief that FAIR is an accurate, useful, and valuable risk model, we should just step back and recognize the challenge. Third-party risk is an increasingly significant and important component of understanding overall cyber risk. But why would we want to look at it as a special snowflake?
Let’s consider some first principles:
Many of the key risk scenarios exist for both.
Third parties simply represent an additional attack surface. Malicious actors may target them to achieve the same outcomes they do for first-party (access to confidential data, to disrupt the organization’s operations, etc.).
Risk should have a consistent definition and terminology.
Why wouldn’t we want to assess and understand the likelihood of a third-party breach and/or the impact (to our organization) of a cyber event originating at the third party?
We should also consider the core differences:
We have less visibility into third parties, especially on the Likelihood side of the FAIR model.
While this may be true, we should look to FAIR and its associated measurement concepts—it just means we need to account for the increased uncertainty.
While there may be other considerations, I have yet to find someone who can argue for a completely different definition and measurement of risk.
What should we aim to do going forward?
I would love to hear the community's suggestions on the FAIR Institute LinkedIn Page. For me, it starts with raising awareness—helping raise awareness that cyber risk is business risk and that FAIR is a proven, intuitive, and practical model that can be applied in both contexts.
So, with that, let’s look to unite our cyber risk programs to benefit our risk management stakeholders!
The FAIR Institute Works to Bring FAIR Principles to TPRM
The FAIR Institute’s Supply Chain Risk Workgroup is developing a solution to the challenge of third-party risk management (TPRM) with an extension to the FAIR model: FAIR-TAM, a third-party risk assessment model with a FAIR perspective. Foundational concepts include:
>>Risk-based prioritization among third-party or supply chain partners
>>New tools and techniques to replace questionnaires or outside-in scanning and scoring with continuous monitoring
>>Actionable mitigations, including zero-trust approaches and cooperative relationships with partners
Learn more in these FAIR Institute blog posts on third-party risk management.
Attend the 2024 FAIR Conference, Oct 1 and 2 in Washington, DC, for multiple sessions on applying FAIR techniques to your third party risk.