Audit Meeting - Applying FAIR Methodology to Third-Party Risk Management

Measure and Manage
Third Party Risk
with FAIR-TAM™

Measure the Materiality of Cyber Events

A 2023 RSA Conference survey of Fortune 1000 CISO’s found that 87% of the companies were affected by a significant cyber incident at a third party in the previous 12 months. Call it third party risk, vendor risk or supply chain risk, it is the major blind spot of cybersecurity defense. 

The solutions for third party risk management (TPRM) badly need a rethink. Vendors mainly offer one or the other or a mix of:

  • Questionnaires for the third-party to answer – quickly out of date even if accurately filled out
  • Outside-in scans of controls that are more noise than signal

These solutions can’t identify the riskiest vendors and don’t give quantitative insights into how to prioritize mitigations to achieve a return on investment. They are also manual processes that can’t be automated or scaled to respond to changing threats. 

With an unreliable toolkit, CISOs fall back on compliance to frameworks, lists of recommended controls disconnected from measurable risk reduction.  Or they prioritize among vendors based on size of contract, not size of loss exposure. 

Audit - Applying FAIR Methodology to Third-Party Risk Management

What is the FAIR Third Party Assessment Model (FAIR-TAMTM)?

The FAIR Institute (through our Supply Chain Risk Workgroup) is developing a solution to the challenge of third-party risk with an extension to the FAIR model: FAIR-TAM, a third-party risk assessment model.  Foundational concepts include:

1. Risk-based prioritization
Run a FAIR assessment of the risk the vendor poses to your organization as a first party. That risk can be analyzed using the FAIR Materiality Assessment Model (FAIR-MAM) based on data access, server access or revenue access. Tier your supply chain partners accordingly.

2. Comprehensive, continuous monitoring
Instead of questionnaires or outside-in scans, use inside-out telemetry from first and third parties as they access your network, reporting on a continuous basis through automation. With the FAIR Controls Analytics Model (FAIR-CAM), you can gauge the breach likelihood for these actors.

3. Actionable Mitigations
Treat third parties as part of your attack surface. Apply Zero Trust Principles to TPRM. How are you managing data access, network access and revenue dependency towards your third parties? The goal to work toward is not an adversarial relationship with your third parties but active collaboration, open dialogue and data sharing for the benefit of all parties.

Learn More

Blog Post: Let’s Kill TPRM

FAIR Conference Video: How to Re-think Third-Party Risk with FAIR-TAM™

For more information and any questions,
please contact Pankaj Goyal, Director of Research and Standards through the Contact Us Form