By Bob Maley
If you’re not familiar with the FAIR model, read my previous blog post “ Using the FAIR Model to Quantify Third-Party Cyber Risk”
Step 1: Find a FAIR evangelist on your team. Not everyone in the TPRM program will need to be fluent in FAIR, but having one member who has taken the time to learn, train, and understand FAIR’s use and value will help the rest of the team as they learn the platform and the program. This person needs to be an adept critical thinker.
Step 2: Find FAIR support in other parts of the organization. Many organizations today are embracing FAIR in Enterprise Risk Management and the larger cyber security world. Identifying those folks inside your organization and sharing your roadmap for integrating FAIR into your organization’s TPRM will gain you broad support at all levels of management. If no one has yet embraced FAIR in your company, then your FAIR evangelist should prepare briefings about what it is, how it will be used in TPRM, and the value 3D Vendor Risk@Scale (SM) with FAIR will bring to the company.
Step 3: Develop a clear, specific value prop for the program. Look for the initial project to prove FAIR using some key characteristics – meaningful results achieved quickly that are easily visible to executive decision-makers.
Step 4: Train all stakeholders. The FAIR evangelist should read and be familiar with the following books, blogs and other information.
- Books: Measuring and Managing Information Risk: A FAIR Approach; How to Measure Anything in Cybersecurity Risk – Hubbard, Seiersen
- Programs: OpenFAIR Certification
- Blogs:FIAR Institute Blog; RiskLens Blog
The challenge of biases, including changing reliance on heatmaps and qualitative risk assessments, may also need to be faced. Cybersecurity experts have been using heatmaps for quite some time and may be invested in their use, even though they are of little value in communicating actual risk, primarily due to their subjective or qualitative nature. Become familiar with the shortcomings of heatmaps. The following blogs provide a good starting point:
Establish the basics
Step 1: Determine what vendors are in scope for monitoring. If you don’t have a basic understanding of what vendors should be in scope for your TPRM monitoring program, then you can follow a simple tiering system model: if a vendor will receive or have access to sensitive data, will have persistent access to your network, or are critical/material to your company then they are in scope for monitoring.
When you have a list of vendors that meet that criteria, you can simply add the primary domain (URL) of that vendor into the Black Kite platform and begin monitoring.
Step 2: Use Black Kite’s ecosystem capability to create a bucket for each class of vendor (access to sensitive data, etc.). If you already have a tiering system in place, simply create ecosystems around your model. Now you can begin to take action on the information that is presented. When just getting started with the program, you can use a technical score as your first red-flag. Start with the lowest technically ranked vendor, then review the FAIR impact of that vendor. If the impact is near or close to your company risk tolerance, then that vendor is a candidate for action.
Step 3: Flag vendors for action. There are several avenues to take once you flag a vendor for action. The first is to review the FAIR Factors (Controls). Review the list of control items. If you have knowledge of any that are in use at the vendor, adjust the FAIR analysis controls accordingly. Also review the number of records that the vendor has access to and update the controls list if you have that data. Additionally, if the vendor has (or will have) access to your network, check that box on the screen that shows they are accessing data on your network. After fine tuning these adjustments, if the financial impact is still near or above appetite, then it is time to address controls with that vendor.
Figure 3: Risk Factors Controls Options within Threat Flowchart
Step 4: Use the reporting features to filter for the highest risk issues and address those first with the vendor. As you work with the vendor you may discover false positives. Identify and mark false positives, and then re-calculate the score and check the change in probable financial impact.