Why Traditional Third-Party Risk Management Programs Aren’t Cutting It
Written by: Black Kite
With an ecosystem more digitally connected than ever, organizations must quickly “scale up” their third-party risk management (TPRM) programs to keep their eyes on more vendors in more spaces. Naturally, there have been some severe growing pains.
Here’s a glaring sign that traditional TPRM approaches aren’t working: A rise in third-party breaches. Our 2023 Third-Party Breach Report found 4.73 organizations were affected by third-party incidents per compromised vendor last year. Those third-party breaches can come with a hefty price tag. According to IBM’s 2022 Cost of a Data Breach report, vulnerabilities in third-party software cost an average of $4.5 million per breach.
The data speaks for itself: There’s a gap between what traditional TPRM programs are doing and what modern TPRM programs need to do.
The Problem With Traditional Third-Party Risk Management
Traditional third-party risk management approaches typically rely on the all-powerful questionnaire, which gained popularity in the early days of TPRM and has stuck around ever since. Since there are no universal standards for what questionnaires need to cover, many organizations customize their own to what they think will give them a full picture of risk. That ends up stuffing questionnaires with qualitative instead of quantitative data.
Because they’re largely qualitative, traditional approaches lack the full picture of risk. As a result, organizations still struggle to properly define probable financial impact — AKA, risk as quantitative data.
Traditionally, TPRM programs classify risk by looking at security ratings, grades, and scorecards. While helpful for a general idea of risk, they cannot demonstrate probable financial impact.
Take what happened with the Colonial Pipeline, for instance. While the pipeline had decent cyber risk scores, those scores could not account for the fact that Colonial Pipeline credentials had already leaked onto the dark web. Bad actors then took those credentials and started credential stuffing until they breached Colonial Pipeline’s systems in 2021.
As it stands, TPRM programs rely on an opaque analysis of risk founded on qualitative, not quantitative, data. That leads to less-informed and less-confident business decisions, which can then make an organization more susceptible to a third-party breach, attack, or leak.
The Key to Defining Risk
Organizations need financial data to illustrate the actual potential impact of risk. Financial data speaks the language that helps executives understand supply chain risk: dollars.
Knowing probable financial impact is key to driving practical decisions and policies. Risk is ultimately about an organization weighing what they’re willing to lose and what they’re not. Differences in size, budget, and reputation mean that some organizations might have a different definition of acceptable risk from others.
That makes contextualizing risk with a concrete number essential to a robust, modern TPRM program.
Adapting to a “Modern” Approach
So what’s separating traditional and modern TPRM approaches to risk? The difference isn’t really in what to do but in how to do it.
Here are three best practices organizations can follow to define risk:
- Identify Vendors Within Scope: According to Dark Reading, 98% of organizations conduct business with a third party who has suffered a breach. What does that mean for your TPRM program? It’s critical to find out which of your vendors are most likely to get targeted and which are most likely to impact your organization’s essential business functions. Vendors that should be in scope for your TPRM program include those who can access, share, and manage your data.
- Create Risk Scenarios: Robust TPRM programs must build out their own risk scenarios in order to quantify risk concretely. Risk grades or scorecards can generally assess the security strength of vendors but cannot account for every single detail. When it comes to third-party risk, those details can make all the difference. Organizations create real-life examples — AKA risk scenarios — that could potentially affect business operations. This lays the specific groundwork necessary for our next step in identifying risk: determining probable financial impact.
- Determine Probable Financial Impact: Once you have our risk scenarios built out, you can then determine the potential financial impact that the incident would have on your organization. With that concrete number, security teams can clearly illustrate the reality of risk to stakeholders, arming them with the right knowledge and tools to drive better business decisions.
Here’s The Thing About Best Practices – They Always Change
The world around us is a constantly shifting space. After all, it was only just over 100 years ago using a horse and buggy was the “best practice” for getting around. Today, using a horse and buggy to get around could “work,” but it probably wouldn’t be very convenient and induce a unique kind of road rage.
Best practices are not set in stone. They’re always adapting to new challenges. Security leaders must take that same approach to TPRM. Just because the traditional method “works” doesn’t mean that it’s actually secure.
Ramping up your TPRM program all comes back to identifying probable financial impact. That quantitative data equips your teams with the right knowledge to take on the modern threat landscape and protect your assets where they’re most vulnerable.