Why TPCRM Teams Feel Spread Thin and 3 Coverage Strategies
Written by: Jeffrey Wheatman
I recently had the opportunity to speak with a group of cybersecurity and risk leaders at an event where we discussed challenges around managing third-party cyber risk management (TPCRM).The big takeaway: when it comes to managing third-party cyber risk, cyber leaders are feeling spread thin.
I empathize with the frustration. With the expansion in size and complexity of cyber ecosystems we’ve seen over the last decade, it’s really no surprise. After all, most enterprises must assess risk for anywhere from 1,000 to 10,000+ partners now, often in the same amount of time and without much more budget than they had when they were assessing under 100 vendors.
Top 3 Struggles with Third-Party Risk Management (TPRM)
From my point of view, struggles with third-party risk management (TPRM) come down to these three major challenges:
- Resource strain
- Limited access to reliable data
- Lack of clarity about who owns what, both within the company (Who owns third-party risk management?)
3 Strategies TPRM Leaders Can Use to Alleviate These Challenges
1. Improve With Processes, Not People
Let’s be real. Throwing more people at TPRM problems doesn’t solve them. The key to tackling third-party risk is revising the processes organizations use to evaluate security postures — not just adding more humans to the mix. We covered this in a recent RiskBusters™ episode, where we tackled the myth that you need a larger team to effectively manage third-party risk.
As organizations grow their cyber ecosystems, it’s become increasingly more difficult for them to effectively manage cyber risk exposure in their supply chains. It might seem intuitive to add more security people when you add more third parties, but here’s the main issue: If you don’t have the right processes in place, then any size team will get stuck spinning its wheels.
I heard several security leaders mention that they keep adding people, training them, and processing ever more security questionnaires—without moving the needle on decreasing third-party risk. When it comes to TPCRM, more (people) is not always better. It’s about the quality of the TPCRM processes and protocols you follow. You need streamlined standard operating procedures (SOPs) backed by the right technology to reduce noise and ensure quality data hits your desks.
Ultimately, all TPCRM processes should have one goal: Gaining reliable data to make better risk decisions.
2. Source Data You Can Trust
Decisions are only as good as the data used to make them. But here’s the issue: Security leaders still struggle to find threat and risk data they can trust — and that’s because there’s both too much data and not enough of the right data hitting their desks.
Vendor assessments are a major source of that rapid influx of unnecessary data. Those assessments — aka security questionnaires — can be as long as 500+ questions. However, more questions doesn’t equal less risk.
Defaulting to asking every vendor hundreds of questions only increases the work your teams have to do to parse through potentially irrelevant, sometimes even inaccurate data. (And it annoys your vendors to no end.) There’s not much value to adding people to a team if they’re spending time doing tasks that don’t increase insight into real risks or decrease their potential impact on the organization.
Instead, organizations must identify what vendors are most critical to their business processes as well as which vulnerabilities could have the greatest potential impact to their business. This greatly narrows down what your team needs to focus on to only the vulnerabilities that are actual risks, and not the giant mountain of risks that probably exist in your cyber ecosystem.
To prioritize vulnerabilities based on their level of risk to the organization, security teams can ask the following questions:
- What’s our exposure if this vendor does experience a breach?
- Does this vendor have access to our sensitive and valuable data?
- How can we keep tabs on new vulnerabilities this vendor might be exposed to?
- What processes can I automate to save time and resources?
When organizations gain clarity on those critical questions, they can better manage third-party cyber risk by sending over specific, relevant questions instead of going total buckshot.
3. Make TPRM A Group Effort
Ownership is another common issue in the TPRM space. At one company, the CISO could own all of TPRM. At another, there could be a dedicated third-party risk person or team — or even a supply chain risk-focused group. There’s no standardized approach today for deciding who owns what tasks, processes, and decisions related to third-party risk.
It’s critical for organizations to identify what works best for them. However, TPRM should always be a group effort. Leadership across the organization should understand how third-party risk is managed and why it’s so important.
Why? Cyber risks often have a cascading and outsized impact. For example, a hacked vulnerability in Kaseya’s VSA software led to a massive ransomware attack affecting up to 1,500 companies worldwide and disrupting operations for days. While CISOs and Chief Risk Officers have a responsibility to captain the ship when it comes to TPRM, it’s also critical that organizations start with a strong cultural foundation that emphasizes the importance of security.
Additionally, organizations need tools that enable clarity, communication, and collaboration. These tools should help:
- Prioritize vendors based on potential business impact and Cyber Risk Quantification (CRQ)
- Collect and surface relevant data on attacks, threats, and vulnerabilities
- Use AI to parse important security documents and map data to appropriate compliance and security frameworks
- Connect to your vendors’ security teams to share risk intelligence and collaboratively remediate it
When TPRM teams have a platform to manage those critical tasks, they can work together to mitigate risk more effectively.
The Black Kite Difference
At Black Kite, we built our platform from the ground up to address these growing challenges in the TPRM space.
Automated Processes
We leverage automated parsing technology that can sift through extensive security resources (like questionnaires) and identify what’s important vs. what’s irrelevant. That way, your teams can get the data they need to identify risks with greater speed, efficiency, and accuracy.
We also created Black Kite Bridge™ to streamline vendor communications, making it easier for organizations and their third parties to connect, share information, and strategize together after a high-profile cyber event. Simply invite vendors to our portal, where you can direct their attention to your most pressing concerns, share actionable asset-level vulnerability intelligence, and provide real-time ratings updates to simplify vendor engagement.
You’ll maximize time and value without adding unnecessary overhead.
Trustworthy Data
We know trustworthy data starts with trustworthy sources. Our platform aggregates hundreds of data streams from open-source intelligence (OSINT) across the web, including hacker forums, social networks, and leaked database dumps.
By providing consistently trustworthy data, we give our clients the risk intelligence they need to make smart choices. That reduces false positives and bolsters third-party risk management.
H3: Reliable Cyber Risk Quantification
Our data is always reliable — which means CISOs can trust that we have the viable cyber risk quantification (CRQ) they need to collaborate with business leaders on TPRM strategies and responses.
We vet the data we collect against reputable standards, including:
That’s how we map out CRQ. No magic tricks. No black boxes. Just facts. Industry analyst firm Forrester even highlighted our dedication to ratings integrity with the following assessment:
“[Black Kite is] the only vendor in this evaluation whose customers were unanimously satisfied with its rating accuracy.”
Plus, we distinctly map out cyber risk in financial terms. By putting an actual dollar value to risk, CISOs can better collaborate with business leaders and illustrate the practical impact of risk. That leads to better communication, better decisions, and better results.
It’s About Quality, Not Quantity
More isn’t always better. Quantity (i.e., adding more people or questionnaires) won’t make third-party cyber risk easier to handle. Quality processes, with purpose-built tools and accurate data, will.
We built Black Kite with exactly that purpose in mind. Our features help streamline processes with automation, deliver reliable data, and enable collaboration. Your teams will be empowered to make confident and informed risk decisions no matter the challenge—and finally feel like they’re doing TPCRM right.
Don’t just take my word for it. See Black Kite in action. Get a free cyber assessment.
Ready to see what Black Kite’s cyber risk detection and response platform can do for you?