Do Third-Party Cyber Risk Management the “Right Way” — and Save on Costs
Written by: Black Kite
Thinking about third-party cyber risk management can send a lot of organizations into a panic. Ultimately, most of that knee-jerk fear comes down to any company’s most taboo word: Cost. Cybersecurity spend is at an all-time high, with Gartner predicting that global cybersecurity budgets will reach $6.7 billion by the end of 2023.
With sky-high spending, it’s hard for security teams to get wiggle room for new investments. At the same time, they must reduce cyber risks with limited resources — all while the threat landscape grows larger by the minute. That means organizations end up prioritizing the risks right in front of them. As a result, third-party cyber risk management falls to the wayside, and security teams are instead left relying on old-hat security methods.
But traditional approaches to third-party risk management (TPRM) can’t keep up with what the new threat landscape demands. If organizations want to stay secure against rising threats, then something in this vicious cycle of resource strain and limited budgets must give.
The key to adapting a third-party cyber risk management program so it’s both robust and cost-effective is to build them the right way to begin with. A wise initial investment upfront leads to more dollars saved than spent in the grand scheme of things, especially with the cost of data breaches exponentially on the rise.
Roadblocks To Investing in Third-Party Cyber Risk Management
Before pinpointing the “right” methods and strategies organizations can use to monitor third-party cyber risk, let’s first dive into what obstacles usually prevent success.
Navigating Budget Prioritization
The biggest struggle in third-party cyber risk management is budget prioritization. Third-party risk management is rarely a primary concern for many stakeholders. That’s partly because it requires another investment out of already ballooning budgets — and partly because of a cultural misunderstanding of what TPRM is and why it’s important.
Organizations have more third-party relationships and partners than ever in our increasingly digital ecosystem. That means third-party threats are actively evolving, which makes it hard for organizations to see how risk works in the immediate now. This lack of education leads to TPRM falling to the wayside and moving further down the list of priorities.
Dealing With Resource Strain
Resource strain causes bumps in the road to a strong third-party cyber risk management program. In most cases, organizations already have limited resources within their security teams. That’s due to struggles with finding (and retaining) qualified talent — and a lack of organization-wide understanding of what security teams need to succeed.
As a result, strapped security teams must focus on the most high-priority activities — which usually means firefighting and addressing a sea of alerts. That leaves very little time to mitigate third-party cyber risk proactively.
Think of resource strain this way: If your room was on fire, chances are that you wouldn’t be thinking about how to protect your house from an impending hurricane. You’d address the immediate problem, even though the second issue might be just as important.
Managing Third Parties
What else impedes organizations’ attempts to build an effective third-party cyber risk management program? Resistance from their third parties.
Third parties might be reluctant to share their security practices or need more resources to implement adequate security measures themselves. Popular “good faith” or traditional methods of managing third-party cyber risk (like questionnaires) can lead to exaggerated or overly optimistic answers.
That inaccurate picture of risk ultimately makes an organization’s security strategies ineffective, leading to major security gaps. Organizations must engage in a careful balance of push and pull when interacting with their vendors to ensure that they’re sharing everything that security teams need to know.
Here’s our key takeaway: Organizations are reluctant to invest in TPRM because they’re already working with limited resources and lack a real understanding of how third-party risk affects them now — not because they don’t care about it entirely.
Costly Investments Into Your Third-Party Cyber Risk Management Program
While an inefficient program is better than no program, there are a few “wrong” ways — i.e., way more costly — to build it. Here are some red flags that might indicate a flawed approach to third-party cyber risk:
1. A Narrow Focus on Cost-Cutting
Managing costs is important, but a narrow focus on cutting costs without considering security risk could lead to massive problems down the line.
Be wise in where you choose to cut and let go of resources. Only cut where you have other coverage — aka, the places where you know automated processes can pick up the slack.
2. An Over-Reliance on Vendor Self-Assessments
In questionnaires, vendors might paint a picture of their security posture wearing rose-colored glasses. Relying on self-assessments can result in a false sense of security. Vendors may not be transparent or forthcoming about their security posture to the level they should be.
To overcome the inherent knowledge gaps in self-assessments, organizations can leverage TPRM tools that externally look into their vendors’ security postures. Using external intelligence on security can present a reasonable indication of how vendors’ security presents internally — giving organizations another set of data points to help measure potential risk.
3. Neglecting Continuous Monitoring
Continuous monitoring is essential to a robust TPRM program. So why do organizations sometimes avoid doing this? Because putting human resources into ongoing manual monitoring can be a major budget strain.
If organizations don’t continuously monitor, they risk making their assets vulnerable to costly and widespread breaches. Take what happened to T-Mobile. The telecom giant detected a third-party breach in January 2023, but the initial breach actually happened in November 2022. This undetected breach ultimately affected almost 40 million T-Mobile customers and their sensitive data.
Security teams can put tech in place to alleviate the need for manual labor in ongoing monitoring, making it easier to assess efficiently and at scale.
Cost-Effective Investments Into Your TPRM Program
Organizations can implement several strategies to build an effective TPRM program from the start — and ultimately save on cost. While there is no “one size fits all” method for every organization, sticking to the following strategies can help companies build robust TPRM programs without breaking the bank.
1. Know What Your Risk Assessments Need To Cover — And Automate
Risk assessments, while necessary, can be exhaustive and expensive if they’re done manually. Incorporating tools that facilitate automation can help organizations conduct these assessments efficiently — and at scale.
To optimize automation here, companies must already know what their risk assessments need to cover. Organizations should be able to accurately identify their critical vendors (i.e., the ones who keep business running or those who have access to sensitive data) and iterate the process from there.
2. Keep Tabs on Your Critical Vendors
New risks crop up in the threat landscape at an exponential rate. In 2022, CISA added 557 CVEs to its known exploited vulnerabilities catalog. That means a vendor that was secure yesterday might not be secure tomorrow. When it comes to tracking potential risks with these vendors, organizations should be as hungry for knowledge as possible.
Once your organization has identified which vendors are essential to both its business function and cyber health, it’s important to regularly keep track of any changes in their cyber risk posture.
Keeping tabs on vendors might sound like more work for security teams, but it doesn’t have to be. With the right automated processes in place (and the help of TPRM platforms), organizations can enable hands-off continuous monitoring.
What’s the cost of failing to keep tabs on critical vendors? Breaches. In 2013, Target suffered an $18.5 million breach when bad actors broke into its stores’ remotely accessible HVAC systems. In an increasingly digitized landscape, an OT provider could absolutely be considered a critical vendor and should be monitored as such.
3. Conduct Due Diligence
Due diligence helps organizations better understand their security posture and identify potential red flags. This process is traditionally very manual. Security teams are collecting artifacts and scouring documents to conduct gap analysis — often switching back and forth between resources and programs to do so.
Gaining visibility into different aspects of a vendor’s cyber posture is the key to reducing the manual lift that usually goes into due diligence. Organizations should seek out a tool that can grant and automate that level of visibility.
Automation in due diligence can be an absolute game-changer. Let’s look at what happened with one of our enterprise customers. A due diligence process that would normally take the organization four to six weeks to complete only took four to six hours after incorporating Black Kite into its workflow. That alone speaks to the power of automation in TPRM.
An Investment Today Keeps Bigger Costs Away
Investing in an effective third-party cyber risk program might initially incur a cost — but neglecting to invest is a multi-million dollar mistake.
Think of managing third-party cyber risk as repairing a leak in a roof. Using cheap patches or a tarp might provide temporary relief, but it doesn’t get to the source of the problem and might result in even more costly damage when the roof caves in. The best approach is to start off with a strong, fortified roof in the first place.
The same idea goes for a third-party cyber risk program. Quick fixes can’t compete with a strong foundation built the “right way.”
Need help painting an effective picture of risk for stakeholders and other departments?
Check these tips on how to get the entire company on board with your TPRM program.