The Bento Box Approach to Managing Third Parties: Categorization, Tiering, and Automation

 Cyber & Risk

According a recent study, companies share confidential and sensitive information with an average of 538 third parties. The number of third parties that organizations are working with is increasing. Also increasing is the need to quickly understand who a third party is and how you should look at them from a security risk perspective.

The definition of cognitive economy is “the tendency for cognitive processes to minimize processing effort.” We can capitalize on this by organizing information into knowledge in a way that requires minimal cognitive effort. That’s the goal when managing risk for a large and growing number of third parties—increase your understanding of them with minimal effort. To adopt a cognitive economy method for managing third-party risk, it makes sense to define a grouping approach, a way to categorize the organization in terms of who they are, what they are doing, and why your third-party risk management (TPRM) program should spend more or less time assessing them.

The Bento Box Approach

Regardless of the processes or technologies your TPRM uses, a defined categorization system with a rules-based approach to tiering adds considerable value. To be clear, this doesn’t replace an assessment of your TPRM program; this is a way to enhance your current processes. Start with categorizing third parties (i.e., “Professional Services” and “Consulting”), identify their function (i.e., “Processing Sensitive Data”) and place them in a tiering system (i.e., “Tier 1,” “Tier 2,” “Tier 3”). The category describes who the third party is, the function describes what they will be doing, and the tier explains why you should be concerned with them. This process should be automated in some manner and should be updated and leveraged during the third-party lifecycle (Pre-Contract, During Contract, and Post-Contract).

Below are four areas to consider when organizing and categorizing your third parties.

1. Categorization: Tuna, Shrimp, Salmon, Eel, Yellow Tail
2. Defining Function: Nigiri, Sashimi, Maki, Uramaki, Temaki
3. Tiering: Will Order - Always, Sometimes, Never
4. Automation: Never Needing to Order at Your Favorite Sushi Place

1. Categorization: Tuna, Shrimp, Salmon, Eel, Yellow Tail

How does your organization currently categorize third parties, and is it done in a meaningful way? This helps describe who the organization is, meaning what type of company it is. You might want to also break it into subcategories (i.e., software and SaaS, professional services and consulting, etc.). This might seem like a trivial task but it provides an initial profile and context to build upon with additional data collected throughout the lifecycle of the third party. Other benefits of categorization include supporting clearer recognition and communication among TPRM stakeholders, enabling alignment with an appropriate baseline set of automation rules, and more meaningful reporting by category groupings.

2. Defining Function: Nigiri, Sashimi, Maki, Uramaki, Temaki

Are you able to review a minimal set of descriptors to quickly understand the value or service a particular third party provides to your organization? The category defines who the organization is while the function provides the “what are they doing” data point. Drawing from the cognitive economy theory, by establishing a predefined list of functions (i.e., “processing sensitive data” or “providing critical services”) and associating them to a third party, you have added another piece of relevant metadata to the third-party profile. Defining functions adds value by providing immediate understanding of a third party’s task areas, supports automating tier processing, and allows more in-depth analysis.

3. Tiering: Will Order - Always, Sometimes, Never

How are you currently tiering (segmenting) your third parties when determining the type of assessment to perform, assessment frequency, and required artifacts? Tiering should be based on risk to the organization but should also incorporate other factors, including function. Typically, a risk rating encompasses the assessment results along with the third party’s access to data, access to systems or networks, and criticality of the service or product being provided. These areas encompass the functions defined and associated with the third party. With minimal data, you can start tiering third parties and when additional information is gathered, perhaps through assessments, the third party can then be re-tiered as appropriate. Defining tiers adds value by identifying the assessment approach and providing action items to perform.

4. Automation: Never Needing to Order at Your Favorite Sushi Place

Does your current TPRM process support the tiering of third parties that have not been assessed yet? Are you updating the tiering rating of third parties throughout their lifecycle with your organization? This is the benefit of defining your categories, functions, and tiers: having a pre-set list of rules supports the tiering of your third parties. Rules to support automation should be put in place for each phase of the vendor lifecycle. There’s always some data before a third party is onboard to assist in tiering and even more data points after they have been onboarded and have been performing services. Third-party tiering should be constantly updated with observational data and automated with rules wherever feasible.

Assessing Your Categorization Needs

The challenge is in knowing how to better organize and automate an ever-expanding list of third parties needed to conduct business while minimally impacting your current TPRM processes. The following are a few exercises to help you assess if the approach above will add value to you, your team, and your organization. If the answer to any of the questions is “no,” there could be value in reviewing your TPRM program’s approach to categorization.

  • Look at a list of third parties your organization works with along with a subset of the metadata that is currently available, then find 10 vendor names with which you are not familiar. Are you able to quickly understand who that organization is and the value or service they are providing to your organization?
  • Ask the appropriate member of the TPRM program how many third parties are planned to be re-assessed this year, grouped by quarter and assessment type. Are they able to efficiently provide the information within a short period of time?
  • Request the criteria used for determining if, how, and when a third party will be assessed. Do the requirements provided have the ability to be automated? Follow up with the question of how often third-party data is evaluated against the provided criteria. Is it more than once a year?

About the Author

matthew karnas

Matthew Karnas is the Cybersecurity & Risk Practice Lead at Sila. He has 18 years of experience providing professional services to Fortune 500 companies and government agencies across multiple verticals. He brings a unique mix of both technical and functional experience advising on information technology, cybersecurity, and risk management practices and approaches to drive client successes.