What if we security professionals have been doing third-party risk management (TPRM) wrong? Many security teams are spending more time and resources on assessing third-party risk than on actually managing it.
TPRM might be a regulatory requirement within your industry or you might be leveraging it as a security best practice. Either way, TPRM is a critical component of any security program. The goal of a TPRM program is to reduce risk to an organization; while many programs are actively assessing risk, many are also only passively managing it. It’s true that to manage risk you must first identify and evaluate it, but perhaps we need to adjust that balance. Let’s consider the value of putting more emphasis on identifying risk trends across third-party types, designing and implementing controls, and continually improving the controls as needed.
Assessing vs. Managing
Review the four areas below to better understand if your organization has the right balance of assessing versus managing risk:
- Understanding the Value of Assessments
- Death by a Thousand Risks
- Appropriately Sharing Risk with the Business
- Measuring Twice but Never Cutting
1. Understanding the Value of Assessments
In terms of securing the organization, where do you see the value of your TPRM program compared to other security initiatives? There are a range of opinions, but everyone can agree that current TPRM processes and questionnaires do not accurately predict security issues and provide minimal value in reducing the probability of a security issue occurring. Assessments give a point-in-time snapshot of an organization’s current security practices and have limitations. Just read the news: many well-respected organizations that pass audits still suffer breaches and security incidents.
2. Death by a Thousand Risks
Within your current TPRM program are you able to easily report on and review risk trends across specific groupings of third parties and risks? A large number of similar, low-level risks occurring across multiple third parties could translate into a high-risk concern for an organization. A repeatable set of controls should be leveraged for similar third parties that supports the correlation of similar risks and trend identification. While assessing the individual risks of a given third party can add value, there is likely greater value in focusing on setting up and maintaining controls on trend basis by categorizing and grouping third parties.
3. Appropriately Sharing Risk with the Business
Specific security asks are often made of the business, as well as third parties, to assist in reducing risk. In some cases, the business is asked to accept risks, possibly requiring executive sign off, especially if the risk is perceived to be above a certain level. Business accountability is certainly needed, but how does that effectively advance the security of the organization? Security teams can do more, including exploring the concept of shared responsibility with the business: while the business owns the risk itself, security owns the responsibility to reduce that risk through measurable means.
4. Measuring Twice but Never Cutting
Have you ever heard the old carpenters’ saying, “measure twice and cut once”? Sometimes with TPRM, it feels that measurement of risk is the sole purpose and actually doing something about the risk happens infrequently. Analysis is important and should be continued to gather more information and assist in refining your confidence level and making decisions (Bayes’ Theory). Where appropriate, threat modeling third-party risk can assist in acting on risks, helping to prioritize what controls to implement. So, continue measuring, but utilize multiple tools to perform that measurement, such as threat modeling, that more directly lead to action.
Steps for Improving Your TPRM Strategy
The following four steps will help you better understand how you are managing risk and assist you in identifying ways you can improve security within your organization when dealing with third parties.
Evaluate the value of your TPRM program versus the resources you are putting in.
Is there a need to adjust the scale from assessment to management of risk? Take note of the current percentage of time used in assessing versus managing and compare that to your desired percentage.
Review how you are reporting on risks from your TPRM program and how you are categorizing third parties.
Are you able to extrapolate or gain insight into a repeatable set of controls based on the risk reporting? Make a wish list of how you would like to review and understand third-party risk from a security perspective.
Discuss with your TPRM staff how risk is managed by the business and what the security team’s approach is to assist them.
Is your security team blindly asking the business to accept risks? Is it mostly a paperwork exercise? Define one process you can put in place to assist your TPRM security analysts with critical thinking to help both security and the business better evaluate risks the business is asked to accept.
Review your current controls as compared to the third-party risks your organization faces and discuss with your TPRM team their process for managing risk.
Is a threat modeling exercise in place, even just for potential high-risk scenarios? Identify one business unit and a significant third party you work with and perform a threat model and assessment.
TPRM is a vital aspect of any security program. Moving the balance point on your organization’s scale from assessing to managing risk can help to improve your overall security posture. You may not have control over a third party or their actions, but you can have more control over your assets through increased focus on managing risks.
About the Author
Matthew Karnas is the Cybersecurity & Risk Practice Lead at Sila. He has 18 years of experience providing professional services to Fortune 500 companies and government agencies across multiple verticals. He brings a unique mix of both technical and functional experience advising on information technology, cybersecurity, and risk management practices and approaches to drive client successes.