Written by: Jeffrey Wheatman

Recently, I had the opportunity to speak with a dozen-plus cybersecurity leaders about third-party risk management (TPRM), when the conversation quickly turned to the recent CrowdStrike outage and how risk intelligence could play a role in preparing for future incidents. It was really interesting to hear from these leaders about this unexpected event. There was a general consensus that no one could’ve predicted how much they would be affected by a single vendor’s outage.

My discussion with these leaders made me realize how many companies are now asking questions like:

  • “Is there any way we could’ve known this would happen?”
  • “Which cyber incident will hit the headlines next?”
  • “How do we keep moving if something similar happens again?” 

Many of the leaders I spoke with wanted to answer these questions but were only in the beginning stages of understanding how to do so. 

My short answer is risk intelligence. 

With the proper intel, we, as an industry, have a better chance of anticipating risks and taking action to mitigate them before anything even happens. Obviously, none of us have a crystal ball for seeing into the future. However, as we discussed, there are ways to anticipate possible challenges and protect your business from them. It all comes down to collecting and leveraging the right cyber risk intelligence. 

While it may have been impossible to predict this specific event, it should have been possible to anticipate that “something like this” would occur.

What is the “Right” Cyber Risk Intelligence?

As many of the leaders at the discussion saw from firsthand experience, gaining a workable understanding of your vendors’ potential risks and the exposures they could pass on to you, can be tough, especially when you work with hundreds or thousands of vendors. So, cyber risk intelligence isn’t just about collecting as much information as possible; it’s also about layering in other factors and adding business context to narrow down the data and turn it into actionable insights.

Let’s discuss each of the layers that make up effective cyber risk intelligence:

Layer #1: Raw Data

First off, it’s essential to collect the correct raw data about each of your vendors’ ecosystems. You should be able to answer, “Who are the fourth, fifth, and Nth, parties connected to our vendors and, therefore, connected to our business?” The breadth and depth of your raw data matter, as it helps you identify issues like concentration risk. Concentration risk occurs when most of your vendors use a common vendor. So, several of your third parties will be affected if that one big player goes down (this is exactly what happened during the CrowdStrike incident). 

It’s also important for your raw technical data to be accurate and comprehensive. Continuous monitoring is critical because the situation around a given vendor’s risk level is always in flux. The raw data should also be objective and understandable; black box security rating service (SRS) scores often aren’t helpful or detailed enough.

Layer #2: Business Context

However, having lots of raw data means that your business will have a lot of data to reckon with, often leading to analysis paralysis. So, the next layer of risk intelligence is applying business context to your raw data and narrowing it down to the insights that matter most. This step helps you decipher which risk data applies to your specific organization’s operations and compliance requirements and which doesn’t.

For example, a risk tied to a vendor’s module you don’t even use would be a moot point for your business. As another example, if several of your nonessential vendors use a common fourth-party vendor, posing high concentration risk, this situation might not be risky to your business as a whole because it doesn’t threaten daily operations.

Layer #3: Actionable Intelligence

The final layer is all about taking proactive action based on the data and business context information. This is where the power of detailed raw data and business context come together and help you take the best next steps. For example, several of the leaders mentioned that after the Crowdstrike outage, they’ve re-directed their attention to risk-related activities like scenario planning. Applying the right risk intelligence to these types of activities could help your business understand exactly how your vendor ecosystem relates to your daily operations, then conduct scenario planning that’s true to what could actually happen.

Examples of Actionable Risk Intelligence

Here are a few other examples of risk intelligence that lead to action (or, in some cases, deliberate inaction):

  • Uncovering that some of your business-critical vendors rely heavily on a high-risk fourth party and making contingency plans based on the exact details of this possible risk. 
  • Getting a notification that one of your vendors contains a zero-day vulnerability but choosing not to take action because a cyberattack on the vendor would have little to no financial impact on your business.

Finding out that a vendor doesn’t meet compliance requirements and choosing to contact them with specific, data-backed details on the situation.

Black Kite’s Multidimensional Risk Intelligence

Here at Black Kite, we believe that risk intelligence must be multifaceted and actionable. We offer a multidimensional view of risk by combining three areas:

  • A technical cyber rating based on NIST and MITRE frameworks, with details that go beyond a single letter rating
  • Potential financial impact in the case of a breach, calculated with OpenFAIR™️
  • Automated correlation, mapping your vendors’ security questionnaire responses and internal policies to common compliance frameworks

In addition, Black Kite offers features that extend this risk intelligence, such as our FocusTags™️ for highlighting critical vulnerabilities that affect your vendors and our Ransomware Susceptibility Index®️ for gauging the likelihood of a ransomware attack on your organization based on third-party risks.  

When armed with multifaceted risk intelligence, your team can prioritize the efforts that matter, effectively communicate risk to your leadership, and build better resilience for whatever happens next. 
Find out more about Black Kite’s recipe for multidimensional risk intelligence.

Ready to see what Black Kite’s cyber risk detection and response platform can do for you?

Request a Demo