Re-thinking Third Party Risk Management

    Re-thinking Third Party Risk Management

    P
    @Pankaj_Goyal
    5 Followers
    7 months ago 776

    AIAI Summary

    toggle
    Bulleted
    toggle
    Text

    Key Insights

    Re-thinking
Third Party Risk Management
Pankaj Goyal
Director Research at FAIR Institute
October 25 2024
    1/24
    Do you believe that 
TPRM is working?
2
    2/24
    2024 has been a bad 
year for Supply 
chain risk…
3
    3/24
    https://howmaterialisthathack.org/
Supply chain attacks / incidents have become the 
#1 threat vector
    4/24
    TPRM is not in a good shape… or Noseblind…
5
    5/24
    Third-party 
risk is not a 
high priority…
6
    6/24
    60-70% organizations are covering <49% third parties
7
    7/24
    8
The familiar problems still persist… manual, ad-hoc, labor intensive…
    8/24
    9
TPRM Challenges We Hear
Don’t Know 
Which 3rd 
Party to 
Focus on
No 
Automation 
& Scale
No 
Controls 
Prioritization
Very Manual 
& Resource 
Intensive
Cost 
Prohibitive
1 2 3 4 5
    9/24
    So how can we make 
it better?
10
    10/24
    We asked the CISOs…
What are my top 
third party risks?
What can I do to 
reduce my risk 
exposure to third 
parties?
What can the 
third parties to do 
to reduce my risk?
The top 3 TPRM questions on a CISO’s mind:
1 2 3
    11/24
    Remember:
Third Party Risk IS
First Party Risk
12
    12/24
    The FAIR-TAM™ Framework to manage third party risk
Risk 
based prioritization
Comprehensive 
continuous 
monitoring
Actionable 
risk 
mitigations
Risk quantified for:
● Ransomware
● DDoS
● Data Breach
Signals
● Inside-out
● Questionnaires
● Outside-in
Proactive actions
● Actions for You
● Actions for 
vendors
● ROI
    13/24
    The FAIR-TAM™ Framework to manage third party risk
Risk 
based prioritization
Comprehensive 
continuous 
monitoring
Actionable 
risk 
mitigations
Risk quantified for:
● Ransomware
● DDoS
● Data Breach
Signals
● Inside-out
● Questionnaires
● Outside-in
Proactive actions
● Actions for You
● Actions for 
vendors
● ROI
Top 5% Third 
Parties that matter
Actions and risk 
burn down
Inside-out telemetry 
(yours and theirs)
    14/24
    15
We published more research through the FAIR TPRM 
Research Working Group
    15/24
    Research Objective: Identify the Top 10 controls for third 
parties to reduce first-party risk.
Process: Safe Intel team tasked with assessing 100 
third-party breaches to identify:
● Initial attack method
● Attack outcome
● First- and third-party control weaknesses
● FAIR-CAM control mappings
Initial Results: 10 controls would significantly reduce 
third-party risk and should be priority for initial third-party 
assessments.
FAIR Institute Research in Progress
Top 10 Controls for 3rd Party Risk
    16/24
    Could FAIR-TAM™ 
have helped make 
2024 better?
17
    17/24
    Top Tier vendor due to high 
Business interruption exposure; 
concentration risk
Inside-out telemetry to 
understand control strength
Your own redundancy?
CHC controls…
Risk 
based prioritization
Comprehensive 
continuous monitoring
Actionable 
risk 
mitigations
Risk quantified for:
● Ransomware
● DDoS
● Data Breach
Signals
● Inside-out
● Questionnaires
● Outside-in
Proactive actions
● Actions for You
● Actions for 
vendors
● ROI
‘What-if’ FAIR-TAM was used for third party 
risk management by healthcare payers?
    18/24
    Top Tier vendor due to high 
Business interruption exposure
Your own redundancy?
CrowdStrike controls
Risk 
based prioritization
Comprehensive 
continuous monitoring
Actionable 
risk 
mitigations
Risk quantified for:
● Ransomware
● DDoS
● Data Breach
Signals
● Inside-out
● Questionnaires
● Outside-in
Proactive actions
● Actions for You
● Actions for 
vendors
● ROI
‘What-if’ FAIR-TAM was used for third party 
risk management?
    19/24
    Risk 
based prioritization
Comprehensive 
continuous monitoring
Actionable 
risk 
mitigations
Risk quantified for:
● Ransomware
● DDoS
● Data Breach
Signals
● Inside-out
● Questionnaires
● Outside-in
Proactive actions
● Actions for You
● Actions for 
vendors
● ROI
‘What if’ FAIR-TAM helps you to solve the structural 
problems…
Less than 50% third parties are being covered… but which ones?
Understanding your quantified 
risk can help you focus 90% of 
efforts on the most critical 
vendors
    20/24
    90% focus on 10% most critical 
third parties Automate inside-out telemetry Focus on yourself, rather than chasing vendors
Risk 
based prioritization
Comprehensive 
continuous monitoring
Actionable 
risk 
mitigations
Risk quantified for:
● Ransomware
● DDoS
● Data Breach
Signals
● Inside-out
● Questionnaires
● Outside-in
Proactive actions
● Actions for You
● Actions for 
vendors
● ROI
‘What if’ FAIR-TAM helps you to solve the structural 
problems…
Manual, ad-hoc, limited resources…
    21/24
    Compliance Based Approach
Focus on managing tools & 
process
Chase third parties to 
remediate gaps
Risk Based Approach
Focus on managing third party 
risk
Partner with Third Parties to 
Improve their Security 
Programs
Old Way New Way
    22/24
    Remember:
Third Party Risk IS
First Party Risk
23
    23/24
    We can fix this…
24
Reach out at
pankaj@fairinstitute.org
    24/24

    Re-thinking Third Party Risk Management

    • 1. Re-thinking Third Party Risk Management Pankaj Goyal Director Research at FAIR Institute October 25 2024
    • 2. Do you believe that TPRM is working? 2
    • 3. 2024 has been a bad year for Supply chain risk… 3
    • 4. https://howmaterialisthathack.org/ Supply chain attacks / incidents have become the #1 threat vector
    • 5. TPRM is not in a good shape… or Noseblind… 5
    • 6. Third-party risk is not a high priority… 6
    • 7. 60-70% organizations are covering <49% third parties 7
    • 8. 8 The familiar problems still persist… manual, ad-hoc, labor intensive…
    • 9. 9 TPRM Challenges We Hear Don’t Know Which 3rd Party to Focus on No Automation & Scale No Controls Prioritization Very Manual & Resource Intensive Cost Prohibitive 1 2 3 4 5
    • 10. So how can we make it better? 10
    • 11. We asked the CISOs… What are my top third party risks? What can I do to reduce my risk exposure to third parties? What can the third parties to do to reduce my risk? The top 3 TPRM questions on a CISO’s mind: 1 2 3
    • 12. Remember: Third Party Risk IS First Party Risk 12
    • 13. The FAIR-TAM™ Framework to manage third party risk Risk based prioritization Comprehensive continuous monitoring Actionable risk mitigations Risk quantified for: ● Ransomware ● DDoS ● Data Breach Signals ● Inside-out ● Questionnaires ● Outside-in Proactive actions ● Actions for You ● Actions for vendors ● ROI
    • 14. The FAIR-TAM™ Framework to manage third party risk Risk based prioritization Comprehensive continuous monitoring Actionable risk mitigations Risk quantified for: ● Ransomware ● DDoS ● Data Breach Signals ● Inside-out ● Questionnaires ● Outside-in Proactive actions ● Actions for You ● Actions for vendors ● ROI Top 5% Third Parties that matter Actions and risk burn down Inside-out telemetry (yours and theirs)
    • 15. 15 We published more research through the FAIR TPRM Research Working Group
    • 16. Research Objective: Identify the Top 10 controls for third parties to reduce first-party risk. Process: Safe Intel team tasked with assessing 100 third-party breaches to identify: ● Initial attack method ● Attack outcome ● First- and third-party control weaknesses ● FAIR-CAM control mappings Initial Results: 10 controls would significantly reduce third-party risk and should be priority for initial third-party assessments. FAIR Institute Research in Progress Top 10 Controls for 3rd Party Risk
    • 17. Could FAIR-TAM™ have helped make 2024 better? 17
    • 18. Top Tier vendor due to high Business interruption exposure; concentration risk Inside-out telemetry to understand control strength Your own redundancy? CHC controls… Risk based prioritization Comprehensive continuous monitoring Actionable risk mitigations Risk quantified for: ● Ransomware ● DDoS ● Data Breach Signals ● Inside-out ● Questionnaires ● Outside-in Proactive actions ● Actions for You ● Actions for vendors ● ROI ‘What-if’ FAIR-TAM was used for third party risk management by healthcare payers?
    • 19. Top Tier vendor due to high Business interruption exposure Your own redundancy? CrowdStrike controls Risk based prioritization Comprehensive continuous monitoring Actionable risk mitigations Risk quantified for: ● Ransomware ● DDoS ● Data Breach Signals ● Inside-out ● Questionnaires ● Outside-in Proactive actions ● Actions for You ● Actions for vendors ● ROI ‘What-if’ FAIR-TAM was used for third party risk management?
    • 20. Risk based prioritization Comprehensive continuous monitoring Actionable risk mitigations Risk quantified for: ● Ransomware ● DDoS ● Data Breach Signals ● Inside-out ● Questionnaires ● Outside-in Proactive actions ● Actions for You ● Actions for vendors ● ROI ‘What if’ FAIR-TAM helps you to solve the structural problems… Less than 50% third parties are being covered… but which ones? Understanding your quantified risk can help you focus 90% of efforts on the most critical vendors
    • 21. 90% focus on 10% most critical third parties Automate inside-out telemetry Focus on yourself, rather than chasing vendors Risk based prioritization Comprehensive continuous monitoring Actionable risk mitigations Risk quantified for: ● Ransomware ● DDoS ● Data Breach Signals ● Inside-out ● Questionnaires ● Outside-in Proactive actions ● Actions for You ● Actions for vendors ● ROI ‘What if’ FAIR-TAM helps you to solve the structural problems… Manual, ad-hoc, limited resources…
    • 22. Compliance Based Approach Focus on managing tools & process Chase third parties to remediate gaps Risk Based Approach Focus on managing third party risk Partner with Third Parties to Improve their Security Programs Old Way New Way
    • 23. Remember: Third Party Risk IS First Party Risk 23
    • 24. We can fix this… 24 Reach out at pankaj@fairinstitute.org


    • Previous
    • Next
    • f Fullscreen
    • esc Exit Fullscreen