What is TPRM?
TPRM stands for third-party risk management — or the processes and utilization of tools meant to monitor and assess the risks posed by working with third parties.
It helps companies understand what potential risks they might take on by engaging with certain partnerships. Ultimately, TPRM is an umbrella term encompassing the management of all kinds of risk posed by third parties. These types of risk include:
The risks that come along with being digitally connected to partners and vendors.
The threats that third parties pose to an organization maintaining compliance.
Risks that put essential workflows and tasks in a business at a standstill, slashing productivity.
Threats to an organization’s good standing and perception in the public eye.
Working with vendors, partners, and suppliers naturally introduces some risk to your organization. With more businesses connected than ever, effectively measuring third-party risk is essential to keeping tabs on your own cyber hygiene.
However, the level of risk your company faces varies depending on a third party’s unique security profile and your risk appetite. Tolerable risk varies from organization to organization, meaning what might be unacceptable to one business could be acceptable to another. Those contextual factors mean there is no one-size-fits-all approach to TPRM.
Therefore, an effective TPRM strategy analyzes vendors’ risk profiles based on an organization’s individual risk appetite, values, and goals.
How Does TPRM Work in Practice?
TPRM encompasses many different types of risk and concerns, which means learning about it can get theory-heavy.
Let’s take a look at a few examples of how organizations apply TPRM in real life:
Worries Over Ransomware
A security team might be worried about susceptibility to ransomware that takes advantage of a specific critical vulnerability exploit (CVE). To assess the risk a vendor poses, that team would deploy third-party risk management strategies or tools to identify whether the vendor had that CVE and whether or not it had been remediated.
This process helps security teams gain a greater understanding of the potential vendor’s risk profile — and therefore make better decisions on whether or not that risk is worth the benefits of working with that vendor.
Concerns About Concentration Risk
An organization might be concerned about whether it faces excess concentration risk — or the risk that accumulates when a considerable amount of value or assets are concentrated with a single vendor. When an organization experiences a breach through a vendor it heavily relies on, it magnifies the effect of the cyber incident, such as downtime or loss of business services.
As such, an organization would use third-party risk management strategies to conduct an audit of its vendors to identify the concentration risk of each, determine which vendors have unacceptably high concentration risk, and identify where diversification of vendors is necessary to mitigate intolerable risk.
The Benefits of Robust TPRM
The most imminent threat in today’s threat landscape is connected risk — or risk from working with third-party partners and vendors. In fact, 98% of companies that conduct business with third parties suffer from breaches.
How can modern third-party risk management programs mitigate the blow of third-party risk? By granting security teams access to contextualized insights to ramp up defense against bad actors — and ultimately, save organizations time, resources, and cold hard cash.
The top five benefits of a robust TPRM program are:
Improved Decision Making
Efficient TPRM programs grant stakeholders insight into the quantitative risk — or probable financial impact — that potential vendors pose to their organization.
Proactive Cybersecurity Practices
Modern TPRM programs enact a preventative (rather than reactive) approach to cybersecurity. With proactive strategies, teams can flag early indicators of an attack and take steps to prevent it altogether.
Robust TPRM programs increase the efficacy, strength, and resilience of an organization’s greater cybersecurity program. An initial commitment to TPRM can save organizations big in the long run — ultimately making TPRM a high-return investment.
Better Use of Resources
By identifying which vendors are in scope of your TPRM program, your teams can more efficiently allocate their forces to where they’re needed most: the vendors that could cause your organization the most damage if they’re breached.
Fewer incidents means fewer times your company will have to pay out to money-hungry bad actors.
Traditional Solutions for TPRM
Your teams are likely already familiar with (and probably leveraging) some of the most commonly used TPRM strategies and tools.
Here are a few popular methods, how they work, and where they fall short.
To help combat mounting threats from unmanaged third-party risk, organizations often deploy security questionnaires.
A questionnaire is a list of security-related inquiries meant to provide the issuing company with insight into a vendor’s cyber hygiene. These questionnaires help organizations decide whether or not to do business with the vendor in question. Because questionnaires are produced by individual organizations, the questions included may vary from company to company.
While still widely used, questionnaires have faced criticism in recent years that they’ve become outdated and unwieldy in today’s fast-moving threat landscape. Some of these criticisms claim that questionnaires are:
- Time-consuming: Because these questionnaires differ from organization to organization, they can take a considerable amount of time to fill out. They also inundate security teams with hundreds of different types of answers (and therefore, information) to parse through, which can slow risk analysis.
- Qualitative, not quantitative: Questionnaires give organizations a qualitative view of risk, which only provides security teams with a surface-level picture of a vendor’s true cyber hygiene.
- Too flexible, not enough structure: Questionnaires are customizable from organization to organization. As a result, many enterprises fill them with questions that they think will give them a full picture of risk. However, that means they may not be asking the right questions necessary to give organizations an accurate picture of risk.
- Rely on vendors to be honest: There is no way to guarantee that vendors fill out questionnaires with an objective, or even truthful, lens. They rely on vendors answering questions in good faith, which may lead to more optimistic rather than realistic data.
Security Rating Services
Security rating services are private entities that devise processes for analyzing an organization’s cyber hygiene. These services then “rate” a company’s cyber health, typically by granting an A to F letter grade.
Today, ratings are closer to credit scores than accurate representations of an organization’s risk profile. Organizations need decent security ratings in order to safeguard their reputation, and more importantly, qualify for cyber insurance. However, these ratings in and of themselves do not necessarily show an objective picture of an organization’s cyber risk profile.
The top five benefits of a robust TPRM program are:
- They’re qualitative: Ratings alone lack the context organizations need to make accurate and data-driven business decisions.
- They’re opaque: Security rating services keep the recipes to their ratings secret. That means organizations can’t know if an SRS is taking all a vendor’s risk factors into account.
Ultimately, this lack of context leads to a letter grade that, while seemingly objective on the surface, ends up being a subjective assessment of how susceptible a vendor might be to breaches, leaks, and attacks.
Why Traditional TPRM Needs A Refresh
Our current understanding of third-party risk management developed over two decades ago – but traditional programs and practices haven’t evolved with the threat landscape. As a result, TPRM programs are long overdue for modernization.
Here’s why traditional methods of measuring third-party risk aren’t cutting it:
Qualitative questionnaires provide an incomplete picture of risk. They cannot obtain an objective view of a vendor’s cyber hygiene because they rely too strictly on good faith and fail to contextualize the insights they collect.
Rating systems are opaque and also lack appropriate contextualization from vendor to vendor. Instead, they reduce risk to static letter grades that make it difficult to facilitate effective decision-making.
Why haven’t more companies moved on to more advanced third-party risk management? Roadblocks in the form of cost, resource strain, and budget prioritization present challenges in modernization — but the real source behind TPRM stagnation is human nature.
People are creatures of habit, and old habits die hard. Organizations have developed approaches to TPRM they’re already accustomed to, making modernization difficult to achieve.
The Power of Quantifying Risk
Here’s the truth about ratings and questionnaires: they don’t work alone.
Although letter grades can provide some idea of a vendor’s cyber hygiene, they fail to paint a full picture of risk because they lack contextualized insights. Without contextualized insights, organizations can only see a surface-level picture of risk. That qualitative risk isn’t enough for organizations to make critical decisions.
An effective TPRM program needs to put risk in quantifiable terms. In other words, it needs to assign risk a dollar value.
Assigning risk a concrete numerical (and financial) value helps executives understand supply chain risk — and therefore, drive practical decisions and policies. Giving risk a dollar value also helps executives concretely see where TPRM strategies are lacking — and what they might pay for it.
To get a quantifiable picture of risk, TPRM programs must:
- Determine Vendor Scope: Security teams must narrow down which vendors are most likely to get targeted and which are most likely to impact essential business functions.
- Identify Risk Scenarios: In effective TPRM programs, details make the difference. Organizations must create hypothetical incidents and analyze their impact in order to develop the right plan for that incident should it occur.
- Calculate Probable Financial Impact: This is where dollars come in. When risk is assigned a concrete number, security teams can arm stakeholders with the right information they need to make better business decisions.
- Apply Resources to Highest Risk Vendors: Once security teams know which vendors pose the
most risk to their organization, they can better focus and distribute their resources.
- Monitor for Changes: This is the “repeat” part of “rinse and repeat.” Once a robust TPRM program is built out, organizations must continuously monitor their vendors in scope for changes — and re-hash their analyses accordingly.
Our TPRM Knowledge Starter Pack
Looking to expand your knowledge on building out the right TPRM program but unsure where to start?Check out our starter pack of TPRM essentials:
The Ultimate Guide to Building a Third-Party Risk Program
In this how-to guide, you’ll learn how to build out and modernize your TPRM program so it’s ready-made to face off with current threats, risks, and bad actors in today’s landscape.
Why Your Entire Company Should Help Build Your TPRM Program
Effective third-party risk management is a team effort. This blog gets into the nitty-gritty of how — and why — your organization needs all hands on deck to build out the right TPRM program.
TPRM is More Than a Score
With Black Kite, TPRM is more than a score.
We believe in approaching third-party risk management:
- Holistically: Our platform accounts for multiple factors of risk and doesn’t simply spit out a letter grade. We provide security teams with contextual insights from a variety of perspectives — including cyber, financial, and compliance risk. We enable risk quantification, and assign an actual dollar value to probable impact, by leveraging the Open FAIR™ model.
- Transparently: Unlike many other security rating services, we’re transparent about how we calculate our ratings. Our process analyzes countless data points across several risk categories from millions of servers. We collect this data by continuously monitoring your vendors with passive, non-intrusive scans. Then, we take those data points and use MITRE standards to inform ratings.
- Efficiently: Our platform holds powerful automation capabilities, meaning that your organization can continuously monitor third parties without expending extra resources — and do it all at scale.
Don’t Just Take Our Word for It
Our platform has made a difference with countless customers looking to take their TPRM programs to the next level.
But don’t take our word for it. See the testimonials for yourself.
Black Kite has brought consistency to the Fractional CISO program, making us more effective as a company and allowing us to reallocate time to the client’s needs instead of digging around looking for findings or vulnerabilities.
― Rob Black, Founder of Fractional CISO
With the power of Black Kite, Fractional CISO can deliver next-day results to clients for processes that used to take three weeks.
The Black Kite platform makes unknowns known, and educates our team internally around those findings. This assists in underwriting, portfolio management, and advocacy when working with management.
― Lou Botticelli, Senior Director, US Cyber Product Leader at Markel
Black Kite gave Markel visibility into each policyholder’s risk in as little as several minutes, dramatically reducing the time it takes to assess underwriting risk.
A lot of third-party rating services just give you a list of findings…We needed a tool that could translate the findings into actionable steps to improve our security posture.
― Cybersecurity analyst at the University of Kansas Health System
Before Black Kite, the University of Kansas Health System’s security team emailed and manually sifted through answers from vendors to check if they had been attacked. Now, they are able to gain an instantaneous overarching view into their third parties’ security posture.