Re-thinking Third Party Risk Management
Re-thinking Third Party Risk Management
Key Insights
- Third-party risk is not being prioritized at many organizations.
- 60-70% of organizations are covering less than 49% of their third parties.
- Challenges managing third-party risks persist due to manual processes, ad-hoc approaches, and limited resources.
- The FAIR-TAM™ Framework to manage third-party risks includes risk-based prioritization, comprehensive continuous monitoring, and actionable risk mitigations.
- The FAIR-TAM framework can help you solve structural problems related to manual processes and the need to automate inside-out telemetry.
1/24
2/24
3/24
4/24
5/24
6/24
7/24
8/24
9/24
10/24
11/24
12/24
13/24
14/24
15/24
16/24
17/24
18/24
19/24
20/24
21/24
22/24
23/24
24/24
Re-thinking Third Party Risk Management
- 1. Re-thinking Third Party Risk Management Pankaj Goyal Director Research at FAIR Institute October 25 2024
- 2. Do you believe that TPRM is working? 2
- 3. 2024 has been a bad year for Supply chain risk… 3
- 4. https://howmaterialisthathack.org/ Supply chain attacks / incidents have become the #1 threat vector
- 5. TPRM is not in a good shape… or Noseblind… 5
- 6. Third-party risk is not a high priority… 6
- 7. 60-70% organizations are covering <49% third parties 7
- 8. 8 The familiar problems still persist… manual, ad-hoc, labor intensive…
- 9. 9 TPRM Challenges We Hear Don’t Know Which 3rd Party to Focus on No Automation & Scale No Controls Prioritization Very Manual & Resource Intensive Cost Prohibitive 1 2 3 4 5
- 10. So how can we make it better? 10
- 11. We asked the CISOs… What are my top third party risks? What can I do to reduce my risk exposure to third parties? What can the third parties to do to reduce my risk? The top 3 TPRM questions on a CISO’s mind: 1 2 3
- 12. Remember: Third Party Risk IS First Party Risk 12
- 13. The FAIR-TAM™ Framework to manage third party risk Risk based prioritization Comprehensive continuous monitoring Actionable risk mitigations Risk quantified for: ● Ransomware ● DDoS ● Data Breach Signals ● Inside-out ● Questionnaires ● Outside-in Proactive actions ● Actions for You ● Actions for vendors ● ROI
- 14. The FAIR-TAM™ Framework to manage third party risk Risk based prioritization Comprehensive continuous monitoring Actionable risk mitigations Risk quantified for: ● Ransomware ● DDoS ● Data Breach Signals ● Inside-out ● Questionnaires ● Outside-in Proactive actions ● Actions for You ● Actions for vendors ● ROI Top 5% Third Parties that matter Actions and risk burn down Inside-out telemetry (yours and theirs)
- 15. 15 We published more research through the FAIR TPRM Research Working Group
- 16. Research Objective: Identify the Top 10 controls for third parties to reduce first-party risk. Process: Safe Intel team tasked with assessing 100 third-party breaches to identify: ● Initial attack method ● Attack outcome ● First- and third-party control weaknesses ● FAIR-CAM control mappings Initial Results: 10 controls would significantly reduce third-party risk and should be priority for initial third-party assessments. FAIR Institute Research in Progress Top 10 Controls for 3rd Party Risk
- 17. Could FAIR-TAM™ have helped make 2024 better? 17
- 18. Top Tier vendor due to high Business interruption exposure; concentration risk Inside-out telemetry to understand control strength Your own redundancy? CHC controls… Risk based prioritization Comprehensive continuous monitoring Actionable risk mitigations Risk quantified for: ● Ransomware ● DDoS ● Data Breach Signals ● Inside-out ● Questionnaires ● Outside-in Proactive actions ● Actions for You ● Actions for vendors ● ROI ‘What-if’ FAIR-TAM was used for third party risk management by healthcare payers?
- 19. Top Tier vendor due to high Business interruption exposure Your own redundancy? CrowdStrike controls Risk based prioritization Comprehensive continuous monitoring Actionable risk mitigations Risk quantified for: ● Ransomware ● DDoS ● Data Breach Signals ● Inside-out ● Questionnaires ● Outside-in Proactive actions ● Actions for You ● Actions for vendors ● ROI ‘What-if’ FAIR-TAM was used for third party risk management?
- 20. Risk based prioritization Comprehensive continuous monitoring Actionable risk mitigations Risk quantified for: ● Ransomware ● DDoS ● Data Breach Signals ● Inside-out ● Questionnaires ● Outside-in Proactive actions ● Actions for You ● Actions for vendors ● ROI ‘What if’ FAIR-TAM helps you to solve the structural problems… Less than 50% third parties are being covered… but which ones? Understanding your quantified risk can help you focus 90% of efforts on the most critical vendors
- 21. 90% focus on 10% most critical third parties Automate inside-out telemetry Focus on yourself, rather than chasing vendors Risk based prioritization Comprehensive continuous monitoring Actionable risk mitigations Risk quantified for: ● Ransomware ● DDoS ● Data Breach Signals ● Inside-out ● Questionnaires ● Outside-in Proactive actions ● Actions for You ● Actions for vendors ● ROI ‘What if’ FAIR-TAM helps you to solve the structural problems… Manual, ad-hoc, limited resources…
- 22. Compliance Based Approach Focus on managing tools & process Chase third parties to remediate gaps Risk Based Approach Focus on managing third party risk Partner with Third Parties to Improve their Security Programs Old Way New Way
- 23. Remember: Third Party Risk IS First Party Risk 23
- 24. We can fix this… 24 Reach out at pankaj@fairinstitute.org
Related Jaunts
