Re-thinking Third Party Risk Management
Re-thinking Third Party Risk Management
Explore the challenges of Third Party Risk Management (TPRM) in 2024, where supply chain attacks have become a top threat. Discover the FAIR-TAM framework aimed at enhancing risk management through automation, prioritization, and controls. Learn from recent research on the top 10 controls to significantly reduce first-party risk and gain actionable insights on improving your TPRM strategy.
Re-thinking Third Party Risk Management
@Pankaj_Goyal3 months ago
Re-thinking Third Party Risk Management
Pankaj Goyal
Director Research at FAIR Institute

- â Ransomware
- â DDoS
- â Data Breach
- â Inside-out
- â Questionnaires
- â Outside-in
- â Actions for You
- â Actions for vendors
- â ROI
- â Initial attack method
- â First- and third-party control weaknesses
- â Attack outcome
- â FAIR-CAM control mappings
- â Ransomware
- â DDoS
- â Data Breach
- â Inside-out
- â Questionnaires
- â Outside-in
- â Actions for You
- â Actions for vendors
- â ROI
- â Ransomware
- â DDoS
- â Data Breach
- â Inside-out
- â Questionnaires
- â Outside-in
- â Actions for You
- â Actions for vendors
- â ROI
Do you believe that TPRM is working?
2024 has been a bad year for Supply chain riskâ¦
Supply chain attacks / incidents have become the #1 threat vector

ticketmaster

https://howmaterialisthathack.org/

TPRM is not in a good shape⦠or Noseblindâ¦

The State Of Third-Party Risk Management, 2024: Dire, Hopeful, But Mostly Noseblind
SEP 11 2024
Third-party risk is not a high priorityâ¦

6

60-70% organizations are covering <49% third parties
The familiar problems still persist⦠manual, ad-hoc, labor intensiveâ¦
"Which of the following are challenges for your organization in managing third-party risks?"
(Multiple responses accepted)

Note: High maturity equates to "measured" or 'optimized' Iow maturity equates to "nonexistent" or "ad hoc." Sample varies by third-party maturity. Base: 82 and 300 global enterprise risk management decision-makers at enterprises
Source: Forrester's Business Risk Survey, 2023
TPRM Challenges We Hear

So how can we make it better?
We asked the CISOsâ¦
The top 3 TPRM questions on a CISO's mind:
1
2
3

Remember: Third Party Risk IS First Party Risk
The FAIR-TAM⢠Framework to manage third party risk

Risk quantified for:
Signals
Proactive actions
The FAIR-TAM⢠Framework to manage third party risk

We published more research through the FAIR TPRM Research Working Group

Let's Kill TPRM
APR 8 , 2024 12:44:26 PM PANKAJ GOYAL AND VINCE DASTA


Top 10 Controls for 3rd Party Risk
FAIR Institute Research in Progress
Research Objective : Identify the Top 10 controls for third parties to reduce first-party risk.
Process : Safe Intel team tasked with assessing 100 third-party breaches to identify:
Initial Results : 10 controls would significantly reduce third-party risk and should be priority for initial third-party assessments.

Could FAIR-TAM⢠have helped make 2024 better?
'What-if' FAIR-TAM was used for third party risk management by healthcare payers?


Risk quantified for:
Signals
Proactive actions
'What-if' FAIR-TAM was used for third party risk management?

Top Tier vendor due to high Business interruption exposure
Risk based prioritization
Comprehensive continuous monitoring
Risk quantified for:
Signals
Your own redundancy?
CrowdStrike controls
Actionable risk mitigations
Proactive actions
'What if' FAIR-TAM helps you to solve the structural problemsâ¦
Less than 50% third parties are being covered⦠but which ones?

'What if' FAIR-TAM helps you to solve the structural problemsâ¦
Manual, ad-hoc, limited resourcesâ¦

Old Way
New Way
Compliance Based Approach
Focus on managing tools & process
Chase third parties to remediate gaps
Risk Based Approach
Focus on managing third party risk
Partner with Third Parties to Improve their Security Programs
Remember: Third Party Risk IS First Party Risk
We can fix thisâ¦
Reach out at pankaj@fairinstitute.org























