A Simple Approach to Prioritizing Cyber Risk in Your Third-Party Relationships
Written by: Black Kite
It’s Jeffrey Wheatman again. The title is a bit of a misnomer. Just because the approach to prioritizing cyber risk is simple doesn’t mean it’s easy. The approach requires a few things you might not have at hand – a list of all your business partners, a clear idea of who owns those relationships, and some understanding of what the partners ‘do’ for you. Let’s wave a magic wand and assume you have all that information at hand…
As I worked on this piece, I wondered how many third parties a typical organization has. So, I asked myself, ‘Hey self, how many partners does a typical company have in their ecosystem?’ After quite a bit (too much in fact) of internal discussion, I realized I did not have an answer and had no idea how to approximate an answer.
Managing third parties is a lot of work – and they aren’t created equal
I did what I normally do when I don’t know something and apparently the Google machine doesn’t know either. After hours of searching (really it was 10 minutes), I found a lot of answers – none of which were consistent or in fact in any way useful. Let’s assume it’s more than a few and less than 100,000. No matter how many third parties you have, we can agree that managing them all is a lot of work. We can also agree they are not all created equal. To badly misquote the infamous closing line from ‘Animal Farm’ by George Orwell, “all third-party partners are equal, but some are more equal than others.”
One of the things we hear from folks is they struggle with where to focus their limited resources. They can’t spend all their time sending, receiving, processing, and parsing questionnaires for hundreds or maybe thousands of partners. And they don’t have the time to go back and forth about confusing and/or unclear questions and answers on said questionnaires. There are tools to help automate the work (including Black Kite – feel free to reach out if you want to learn how we can help), but they require investment in money and time. Maybe you don’t have the budget or the headcount to build an end to end third party risk management program, but you still have a problem.
This is a simple approach to help you visually determine where your biggest risk might be. This isn’t meant to solve all your problems, and it doesn’t show us the actual risk, it will give you a starting point to ask questions.
There are two simple questions to ask to get started –
(1) How bad would it be if Partner x couldn’t deliver on their commitment to us for, say more than a week – maybe they are processing accounts payable, or maybe they are delivering chicken for our world-famous chick’’’n d-eeEEeelux sandwich.
a. Really bad
b. Kind of bad
c. Not that bad
(2) How bad would it be FOR US if Partner x had a data breach and lost a barrel full of data?
a. Really bad
b. Kind of bad
c. Not that bad
Then we map the answers onto a simple matrix. Focus your efforts on high value and high exposure partners … and Voila! Simple, easy, visual, and while it is by no means perfect, it can get you moving in the right direction.
Stay safe, stay secure, stay healthy.
Wheatman, Out!