How to integrate Black Kite’s Open FAIR™ analysis into a third-party risk management (TPRM) program
Written by: Black Kite
By Bob Maley
If you’re not familiar with the Open FAIR™ model, read my previous blog post “ Using the Open FAIR™ Model to Quantify Third-Party Cyber Risk”
Step 1: Find a Open FAIR™ evangelist on your team. Not everyone in the TPRM program will need to be fluent in FAIR, but having one member who has taken the time to learn, train, and understand Open FAIR™’s use and value will help the rest of the team as they learn the platform and the program. This person needs to be an adept critical thinker.
Step 2: Find Open FAIR™ support in other parts of the organization. Many organizations today are embracing Open FAIR™ in Enterprise Risk Management and the larger cyber security world. Identifying those folks inside your organization and sharing your roadmap for integrating Open FAIR™ into your organization’s TPRM will gain you broad support at all levels of management. If no one has yet embraced Open FAIR™ in your company, then your Open FAIR™ evangelist should prepare briefings about what it is, how it will be used in TPRM, and the value 3D Vendor Risk@Scale (SM) with Open FAIR™ will bring to the company.
Step 3: Develop a clear, specific value prop for the program. Look for the initial project to prove Open FAIR™ using some key characteristics – meaningful results achieved quickly that are easily visible to executive decision-makers.
Step 4: Train all stakeholders. The Open FAIR™ evangelist should read and be familiar with the following books, blogs and other information.
- Books: Measuring and Managing Information Risk: A Open FAIR™ Approach; How to Measure Anything in Cybersecurity Risk – Hubbard, Seiersen
- Programs: Open FAIR™ Certification
- Blogs:FIAR Institute Blog; RiskLens Blog
The challenge of biases, including changing reliance on heatmaps and qualitative risk assessments, may also need to be faced. Cybersecurity experts have been using heatmaps for quite some time and may be invested in their use, even though they are of little value in communicating actual risk, primarily due to their subjective or qualitative nature. Become familiar with the shortcomings of heatmaps. The following blogs provide a good starting point:
Establish the basics
Step 1: Determine what vendors are in scope for monitoring. If you don’t have a basic understanding of what vendors should be in scope for your TPRM monitoring program, then you can follow a simple tiering system model: if a vendor will receive or have access to sensitive data, will have persistent access to your network, or are critical/material to your company then they are in scope for monitoring.
When you have a list of vendors that meet that criteria, you can simply add the primary domain (URL) of that vendor into the Black Kite platform and begin monitoring.
Step 2: Use Black Kite’s ecosystem capability to create a bucket for each class of vendor (access to sensitive data, etc.). If you already have a tiering system in place, simply create ecosystems around your model. Now you can begin to take action on the information that is presented. When just getting started with the program, you can use a technical score as your first red-flag. Start with the lowest technically ranked vendor, then review the Open FAIR™ impact of that vendor. If the impact is near or close to your company risk tolerance, then that vendor is a candidate for action.
Step 3: Flag vendors for action. There are several avenues to take once you flag a vendor for action. The first is to review the Open FAIR™ Factors (Controls). Review the list of control items. If you have knowledge of any that are in use at the vendor, adjust the Open FAIR™ analysis controls accordingly. Also review the number of records that the vendor has access to and update the controls list if you have that data. Additionally, if the vendor has (or will have) access to your network, check that box on the screen that shows they are accessing data on your network. After fine tuning these adjustments, if the financial impact is still near or above appetite, then it is time to address controls with that vendor.
Figure 3: Risk Factors Controls Options within Threat Flowchart
Step 4: Use the reporting features to filter for the highest risk issues and address those first with the vendor. As you work with the vendor you may discover false positives. Identify and mark false positives, and then re-calculate the score and check the change in probable financial impact.