Re-thinking Third Party Risk Management

Re-thinking Third Party Risk Management

@Pankaj_Goyal
@Pankaj_Goyal
5 Followers
3 months ago 511

Explore the challenges of Third Party Risk Management (TPRM) in 2024, where supply chain attacks have become a top threat. Discover the FAIR-TAM framework aimed at enhancing risk management through automation, prioritization, and controls. Learn from recent research on the top 10 controls to significantly reduce first-party risk and gain actionable insights on improving your TPRM strategy.

Re-thinking Third Party Risk Management

@Pankaj_Goyal3 months ago

Re-thinking Third Party Risk Management

Pankaj Goyal

Director Research at FAIR Institute

                      Do you believe that TPRM is working?

                                          2024 has been a bad year for Supply chain risk…

                                                              Supply chain attacks / incidents have become the #1 threat vector

                                                              ticketmaster

                                                              https://howmaterialisthathack.org/

                                                                                  TPRM is not in a good shape… or Noseblind…

                                                                                  The State Of Third-Party Risk Management, 2024: Dire, Hopeful, But Mostly Noseblind

                                                                                  SEP 11 2024

                                                                                                      Third-party risk is not a high priority…

                                                                                                      6

                                                                                                                          60-70% organizations are covering <49% third parties

                                                                                                                                              The familiar problems still persist… manual, ad-hoc, labor intensive…

                                                                                                                                              "Which of the following are challenges for your organization in managing third-party risks?"

                                                                                                                                              (Multiple responses accepted)

                                                                                                                                              Note: High maturity equates to "measured" or 'optimized' Iow maturity equates to "nonexistent" or "ad hoc." Sample varies by third-party maturity. Base: 82 and 300 global enterprise risk management decision-makers at enterprises

                                                                                                                                              Source: Forrester's Business Risk Survey, 2023

                                                                                                                                                                  TPRM Challenges We Hear

                                                                                                                                                                                      So how can we make it better?

                                                                                                                                                                                                          We asked the CISOs…

                                                                                                                                                                                                          The top 3 TPRM questions on a CISO's mind:

                                                                                                                                                                                                          1

                                                                                                                                                                                                          2

                                                                                                                                                                                                          3

                                                                                                                                                                                                                              Remember: Third Party Risk IS First Party Risk

                                                                                                                                                                                                                                                  The FAIR-TAM™ Framework to manage third party risk

                                                                                                                                                                                                                                                  Risk quantified for:

                                                                                                                                                                                                                                                  • ● Ransomware
                                                                                                                                                                                                                                                  • ● DDoS
                                                                                                                                                                                                                                                  • ● Data Breach

                                                                                                                                                                                                                                                  Signals

                                                                                                                                                                                                                                                  • ● Inside-out
                                                                                                                                                                                                                                                  • ● Questionnaires
                                                                                                                                                                                                                                                  • ● Outside-in

                                                                                                                                                                                                                                                  Proactive actions

                                                                                                                                                                                                                                                  • ● Actions for You
                                                                                                                                                                                                                                                  • ● Actions for vendors
                                                                                                                                                                                                                                                  • ● ROI

                                                                                                                                                                                                                                                                      The FAIR-TAM™ Framework to manage third party risk

                                                                                                                                                                                                                                                                                          We published more research through the FAIR TPRM Research Working Group

                                                                                                                                                                                                                                                                                          Let's Kill TPRM

                                                                                                                                                                                                                                                                                          APR 8 , 2024 12:44:26 PM PANKAJ GOYAL AND VINCE DASTA

                                                                                                                                                                                                                                                                                                              Top 10 Controls for 3rd Party Risk

                                                                                                                                                                                                                                                                                                              FAIR Institute Research in Progress

                                                                                                                                                                                                                                                                                                              Research Objective : Identify the Top 10 controls for third parties to reduce first-party risk.

                                                                                                                                                                                                                                                                                                              Process : Safe Intel team tasked with assessing 100 third-party breaches to identify:

                                                                                                                                                                                                                                                                                                              • ● Initial attack method
                                                                                                                                                                                                                                                                                                              • ● First- and third-party control weaknesses
                                                                                                                                                                                                                                                                                                              • ● Attack outcome
                                                                                                                                                                                                                                                                                                              • ● FAIR-CAM control mappings

                                                                                                                                                                                                                                                                                                              Initial Results : 10 controls would significantly reduce third-party risk and should be priority for initial third-party assessments.

                                                                                                                                                                                                                                                                                                                                  Could FAIR-TAM™ have helped make 2024 better?

                                                                                                                                                                                                                                                                                                                                                      'What-if' FAIR-TAM was used for third party risk management by healthcare payers?

                                                                                                                                                                                                                                                                                                                                                      Risk quantified for:

                                                                                                                                                                                                                                                                                                                                                      • ● Ransomware
                                                                                                                                                                                                                                                                                                                                                      • ● DDoS
                                                                                                                                                                                                                                                                                                                                                      • ● Data Breach

                                                                                                                                                                                                                                                                                                                                                      Signals

                                                                                                                                                                                                                                                                                                                                                      • ● Inside-out
                                                                                                                                                                                                                                                                                                                                                      • ● Questionnaires
                                                                                                                                                                                                                                                                                                                                                      • ● Outside-in

                                                                                                                                                                                                                                                                                                                                                      Proactive actions

                                                                                                                                                                                                                                                                                                                                                      • ● Actions for You
                                                                                                                                                                                                                                                                                                                                                      • ● Actions for vendors
                                                                                                                                                                                                                                                                                                                                                      • ● ROI

                                                                                                                                                                                                                                                                                                                                                                          'What-if' FAIR-TAM was used for third party risk management?

                                                                                                                                                                                                                                                                                                                                                                          Top Tier vendor due to high Business interruption exposure

                                                                                                                                                                                                                                                                                                                                                                          Risk based prioritization

                                                                                                                                                                                                                                                                                                                                                                          Comprehensive continuous monitoring

                                                                                                                                                                                                                                                                                                                                                                          Risk quantified for:

                                                                                                                                                                                                                                                                                                                                                                          • ● Ransomware
                                                                                                                                                                                                                                                                                                                                                                          • ● DDoS
                                                                                                                                                                                                                                                                                                                                                                          • ● Data Breach

                                                                                                                                                                                                                                                                                                                                                                          Signals

                                                                                                                                                                                                                                                                                                                                                                          • ● Inside-out
                                                                                                                                                                                                                                                                                                                                                                          • ● Questionnaires
                                                                                                                                                                                                                                                                                                                                                                          • ● Outside-in

                                                                                                                                                                                                                                                                                                                                                                          Your own redundancy?

                                                                                                                                                                                                                                                                                                                                                                          CrowdStrike controls

                                                                                                                                                                                                                                                                                                                                                                          Actionable risk mitigations

                                                                                                                                                                                                                                                                                                                                                                          Proactive actions

                                                                                                                                                                                                                                                                                                                                                                          • ● Actions for You
                                                                                                                                                                                                                                                                                                                                                                          • ● Actions for vendors
                                                                                                                                                                                                                                                                                                                                                                          • ● ROI
                                                                                                                                                                                                                                                                                                                                                                                              • 'What if' FAIR-TAM helps you to solve the structural problems…

                                                                                                                                                                                                                                                                                                                                                                                                Less than 50% third parties are being covered… but which ones?

                                                                                                                                                                                                                                                                                                                                                                                                                    'What if' FAIR-TAM helps you to solve the structural problems…

                                                                                                                                                                                                                                                                                                                                                                                                                    Manual, ad-hoc, limited resources…

                                                                                                                                                                                                                                                                                                                                                                                                                                        Old Way

                                                                                                                                                                                                                                                                                                                                                                                                                                        New Way

                                                                                                                                                                                                                                                                                                                                                                                                                                        Compliance Based Approach

                                                                                                                                                                                                                                                                                                                                                                                                                                        Focus on managing tools & process

                                                                                                                                                                                                                                                                                                                                                                                                                                        Chase third parties to remediate gaps

                                                                                                                                                                                                                                                                                                                                                                                                                                        Risk Based Approach

                                                                                                                                                                                                                                                                                                                                                                                                                                        Focus on managing third party risk

                                                                                                                                                                                                                                                                                                                                                                                                                                        Partner with Third Parties to Improve their Security Programs

                                                                                                                                                                                                                                                                                                                                                                                                                                                            Remember: Third Party Risk IS First Party Risk

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                We can fix this…

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Reach out at pankaj@fairinstitute.org

Re-thinking
Third Party Risk Management
Pankaj Goyal
Director Research at FAIR Institute
Octobe…
1/24
Do you believe that 
TPRM is working?
2
2/24
2024 has been a bad 
year for Supply 
chain risk…
3
3/24
https://howmaterialisthathack.org/
Supply chain attacks / incidents have become the 
#1 threat ve…
4/24
TPRM is not in a good shape… or Noseblind…
5
5/24
Third-party 
risk is not a 
high priority…
6
6/24
60-70% organizations are covering <49% third parties
7
7/24
8
The familiar problems still persist… manual, ad-hoc, labor intensive…
8/24
9
TPRM Challenges We Hear
Don’t Know 
Which 3rd 
Party to 
Focus on
No 
Automation 
& Scale…
9/24
So how can we make 
it better?
10
10/24
We asked the CISOs…
What are my top 
third party risks?
What can I do to 
reduce my risk 
expo…
11/24
Remember:
Third Party Risk IS
First Party Risk
12
12/24
The FAIR-TAM™ Framework to manage third party risk
Risk 
based prioritization
Comprehensive 
co…
13/24
The FAIR-TAM™ Framework to manage third party risk
Risk 
based prioritization
Comprehensive 
co…
14/24
15
We published more research through the FAIR TPRM 
Research Working Group
15/24
Research Objective: Identify the Top 10 controls for third 
parties to reduce first-party risk.
P…
16/24
Could FAIR-TAM™ 
have helped make 
2024 better?
17
17/24
Top Tier vendor due to high 
Business interruption exposure; 
concentration risk
Inside-out tele…
18/24
Top Tier vendor due to high 
Business interruption exposure
Your own redundancy?
CrowdStrike con…
19/24
Risk 
based prioritization
Comprehensive 
continuous monitoring
Actionable 
risk 
mitigations…
20/24
90% focus on 10% most critical 
third parties Automate inside-out telemetry Focus on yourself, rat…
21/24
Compliance Based Approach
Focus on managing tools & 
process
Chase third parties to 
remediate …
22/24
Remember:
Third Party Risk IS
First Party Risk
23
23/24
We can fix this…
24
Reach out at
pankaj@fairinstitute.org
24/24


  • Previous
  • Next
  • f Fullscreen
  • esc Exit Fullscreen
@Pankaj_Goyal

Share

Re-thinking Third Party Risk Management

Embed code


Swipe LEFT
to view Related

Scroll DOWN
to read doc

We, and our third-party partners, use cookies, pixels, and other technologies (“cookies”) to collect, record, and share information you provide, as well as information about your interactions with, our site for ad targeting, analytics, personalization, and site functionality purposes. By clicking Allow All, you agree to the use of tracking technologies and acknowledge our privacy practices as described in our Privacy Notice.

Cookies to automatically collect, record, and share information about your interactions with our site for analytics purposes.
Cookies used to enable advertising on our site.

Login

OR

Forgot password?

Don't have an account? Sign Up