Re-thinking Third Party Risk Management

    Re-thinking Third Party Risk Management

    P
    @Pankaj_Goyal
    6 Followers
    8 months ago 776

    AIAI Summary

    toggle
    Bulleted
    toggle
    Text

    Key Insights

    #Cybersecurity#Thirdpartyrisk#Supplychainrisk
    Re-thinking Third Party Risk Management Pankaj Goyal Director Research at FAIR Institute October 25 2024
    1/24
    Do you believe that TPRM is working? 2
    2/24
    2024 has been a bad year for Supply chain risk… 3
    3/24
    https://howmaterialisthathack.org/ Supply chain attacks / incidents have become the #1 threat vector
    4/24
    TPRM is not in a good shape… or Noseblind… 5
    5/24
    Third-party risk is not a high priority… 6
    6/24
    60-70% organizations are covering <49% third parties 7
    7/24
    8 The familiar problems still persist… manual, ad-hoc, labor intensive…
    8/24
    9 TPRM Challenges We Hear Don’t Know Which 3rd Party to Focus on No Automation & Scale No Controls Prioritization Very Manual & Resource Intensive Cost Prohibitive 1 2 3 4 5
    9/24
    So how can we make it better? 10
    10/24
    We asked the CISOs… What are my top third party risks? What can I do to reduce my risk exposure to third parties? What can the third parties to do to reduce my risk? The top 3 TPRM questions on a CISO’s mind: 1 2 3
    11/24
    Remember: Third Party Risk IS First Party Risk 12
    12/24
    The FAIR-TAM™ Framework to manage third party risk Risk based prioritization Comprehensive continuous monitoring Actionable risk mitigations Risk quantified for: ● Ransomware ● DDoS ● Data Breach Signals ● Inside-out ● Questionnaires ● Outside-in Proactive actions ● Actions for You ● Actions for vendors ● ROI
    13/24
    The FAIR-TAM™ Framework to manage third party risk Risk based prioritization Comprehensive continuous monitoring Actionable risk mitigations Risk quantified for: ● Ransomware ● DDoS ● Data Breach Signals ● Inside-out ● Questionnaires ● Outside-in Proactive actions ● Actions for You ● Actions for vendors ● ROI Top 5% Third Parties that matter Actions and risk burn down Inside-out telemetry (yours and theirs)
    14/24
    15 We published more research through the FAIR TPRM Research Working Group
    15/24
    Research Objective: Identify the Top 10 controls for third parties to reduce first-party risk. Process: Safe Intel team tasked with assessing 100 third-party breaches to identify: ● Initial attack method ● Attack outcome ● First- and third-party control weaknesses ● FAIR-CAM control mappings Initial Results: 10 controls would significantly reduce third-party risk and should be priority for initial third-party assessments. FAIR Institute Research in Progress Top 10 Controls for 3rd Party Risk
    16/24
    Could FAIR-TAM™ have helped make 2024 better? 17
    17/24
    Top Tier vendor due to high Business interruption exposure; concentration risk Inside-out telemetry to understand control strength Your own redundancy? CHC controls… Risk based prioritization Comprehensive continuous monitoring Actionable risk mitigations Risk quantified for: ● Ransomware ● DDoS ● Data Breach Signals ● Inside-out ● Questionnaires ● Outside-in Proactive actions ● Actions for You ● Actions for vendors ● ROI ‘What-if’ FAIR-TAM was used for third party risk management by healthcare payers?
    18/24
    Top Tier vendor due to high Business interruption exposure Your own redundancy? CrowdStrike controls Risk based prioritization Comprehensive continuous monitoring Actionable risk mitigations Risk quantified for: ● Ransomware ● DDoS ● Data Breach Signals ● Inside-out ● Questionnaires ● Outside-in Proactive actions ● Actions for You ● Actions for vendors ● ROI ‘What-if’ FAIR-TAM was used for third party risk management?
    19/24
    Risk based prioritization Comprehensive continuous monitoring Actionable risk mitigations Risk quantified for: ● Ransomware ● DDoS ● Data Breach Signals ● Inside-out ● Questionnaires ● Outside-in Proactive actions ● Actions for You ● Actions for vendors ● ROI ‘What if’ FAIR-TAM helps you to solve the structural problems… Less than 50% third parties are being covered… but which ones? Understanding your quantified risk can help you focus 90% of efforts on the most critical vendors
    20/24
    90% focus on 10% most critical third parties Automate inside-out telemetry Focus on yourself, rather than chasing vendors Risk based prioritization Comprehensive continuous monitoring Actionable risk mitigations Risk quantified for: ● Ransomware ● DDoS ● Data Breach Signals ● Inside-out ● Questionnaires ● Outside-in Proactive actions ● Actions for You ● Actions for vendors ● ROI ‘What if’ FAIR-TAM helps you to solve the structural problems… Manual, ad-hoc, limited resources…
    21/24
    Compliance Based Approach Focus on managing tools & process Chase third parties to remediate gaps Risk Based Approach Focus on managing third party risk Partner with Third Parties to Improve their Security Programs Old Way New Way
    22/24
    Remember: Third Party Risk IS First Party Risk 23
    23/24
    We can fix this… 24 Reach out at pankaj@fairinstitute.org
    24/24

    Re-thinking Third Party Risk Management

    • 1. Re-thinking Third Party Risk Management Pankaj Goyal Director Research at FAIR Institute October 25 2024
    • 2. Do you believe that TPRM is working? 2
    • 3. 2024 has been a bad year for Supply chain risk… 3
    • 4. https://howmaterialisthathack.org/ Supply chain attacks / incidents have become the #1 threat vector
    • 5. TPRM is not in a good shape… or Noseblind… 5
    • 6. Third-party risk is not a high priority… 6
    • 7. 60-70% organizations are covering <49% third parties 7
    • 8. 8 The familiar problems still persist… manual, ad-hoc, labor intensive…
    • 9. 9 TPRM Challenges We Hear Don’t Know Which 3rd Party to Focus on No Automation & Scale No Controls Prioritization Very Manual & Resource Intensive Cost Prohibitive 1 2 3 4 5
    • 10. So how can we make it better? 10
    • 11. We asked the CISOs… What are my top third party risks? What can I do to reduce my risk exposure to third parties? What can the third parties to do to reduce my risk? The top 3 TPRM questions on a CISO’s mind: 1 2 3
    • 12. Remember: Third Party Risk IS First Party Risk 12
    • 13. The FAIR-TAM™ Framework to manage third party risk Risk based prioritization Comprehensive continuous monitoring Actionable risk mitigations Risk quantified for: ● Ransomware ● DDoS ● Data Breach Signals ● Inside-out ● Questionnaires ● Outside-in Proactive actions ● Actions for You ● Actions for vendors ● ROI
    • 14. The FAIR-TAM™ Framework to manage third party risk Risk based prioritization Comprehensive continuous monitoring Actionable risk mitigations Risk quantified for: ● Ransomware ● DDoS ● Data Breach Signals ● Inside-out ● Questionnaires ● Outside-in Proactive actions ● Actions for You ● Actions for vendors ● ROI Top 5% Third Parties that matter Actions and risk burn down Inside-out telemetry (yours and theirs)
    • 15. 15 We published more research through the FAIR TPRM Research Working Group
    • 16. Research Objective: Identify the Top 10 controls for third parties to reduce first-party risk. Process: Safe Intel team tasked with assessing 100 third-party breaches to identify: ● Initial attack method ● Attack outcome ● First- and third-party control weaknesses ● FAIR-CAM control mappings Initial Results: 10 controls would significantly reduce third-party risk and should be priority for initial third-party assessments. FAIR Institute Research in Progress Top 10 Controls for 3rd Party Risk
    • 17. Could FAIR-TAM™ have helped make 2024 better? 17
    • 18. Top Tier vendor due to high Business interruption exposure; concentration risk Inside-out telemetry to understand control strength Your own redundancy? CHC controls… Risk based prioritization Comprehensive continuous monitoring Actionable risk mitigations Risk quantified for: ● Ransomware ● DDoS ● Data Breach Signals ● Inside-out ● Questionnaires ● Outside-in Proactive actions ● Actions for You ● Actions for vendors ● ROI ‘What-if’ FAIR-TAM was used for third party risk management by healthcare payers?
    • 19. Top Tier vendor due to high Business interruption exposure Your own redundancy? CrowdStrike controls Risk based prioritization Comprehensive continuous monitoring Actionable risk mitigations Risk quantified for: ● Ransomware ● DDoS ● Data Breach Signals ● Inside-out ● Questionnaires ● Outside-in Proactive actions ● Actions for You ● Actions for vendors ● ROI ‘What-if’ FAIR-TAM was used for third party risk management?
    • 20. Risk based prioritization Comprehensive continuous monitoring Actionable risk mitigations Risk quantified for: ● Ransomware ● DDoS ● Data Breach Signals ● Inside-out ● Questionnaires ● Outside-in Proactive actions ● Actions for You ● Actions for vendors ● ROI ‘What if’ FAIR-TAM helps you to solve the structural problems… Less than 50% third parties are being covered… but which ones? Understanding your quantified risk can help you focus 90% of efforts on the most critical vendors
    • 21. 90% focus on 10% most critical third parties Automate inside-out telemetry Focus on yourself, rather than chasing vendors Risk based prioritization Comprehensive continuous monitoring Actionable risk mitigations Risk quantified for: ● Ransomware ● DDoS ● Data Breach Signals ● Inside-out ● Questionnaires ● Outside-in Proactive actions ● Actions for You ● Actions for vendors ● ROI ‘What if’ FAIR-TAM helps you to solve the structural problems… Manual, ad-hoc, limited resources…
    • 22. Compliance Based Approach Focus on managing tools & process Chase third parties to remediate gaps Risk Based Approach Focus on managing third party risk Partner with Third Parties to Improve their Security Programs Old Way New Way
    • 23. Remember: Third Party Risk IS First Party Risk 23
    • 24. We can fix this… 24 Reach out at pankaj@fairinstitute.org


    • Previous
    • Next
    • f Fullscreen
    • esc Exit Fullscreen
    RELATED JAUNTS
    MORE FROM THIS AUTHOR