Taking a Fresh Approach to Managing Third-Party Cyber Risk

The risk of cyberattack through third parties was a recurring theme at RSA 2019. The 2014 Target breach seems to have altered the DNA of CISO thinking on this issue. It’s not that third party risk is new. It’s just that the scale of vulnerability and potential business impact are only now becoming clear.

Today’s CISO must devise and implement a coherent, effective plan to assess and mitigate risks posed by third parties like suppliers and partners. As the Target breach revealed, when sub-optimal countermeasures meet a breached supplier, disaster can easily ensue. The challenge, however, is to manage third party risk efficiently. Resources are limited and third parties are plentiful.

Firms like CyberGRX are stepping in to fill the void. Their approach has been to build a solution based on the notion of a risk exchange and community. The inspiration came from the founders’ earlier experiences trying to manage cyber risk for a big Wall Street firm. Such firms have hundreds, or even thousands of connected entities that pose cyber threats. They saw firsthand how difficult it is to scale a third party risk management program.

To understand the problem, consider the fact that large corporations require a security assessment of vendors, to name just one example of a third party. The difficulty is that each company must assess all of its vendors separately. It’s a massively inefficient process. The same vendor could be subject to dozens of identical risk evaluations and have to attest repeatedly to the strength of its security measures. It’s a huge waste of time on both sides, as the vendor answers the same questions multiple times and each inquiring company repeats the same resource-intensive process in parallel.

The CyberGRX solution was to develop a way to share risk assessments in a meaningful, trust-based way. In practical terms, this means establishing a system whereby a single risk assessment can be shared by multiple organizations. Thus, if the vendor has been vetted once, then all of its customers can vet it through the same report. Both entities save time. Of course, everyone has to trust that the report is accurate. That’s the challenge CyberGRX addresses.

The CyberGRX solution develops risks scores and conducts analysis of third parties. For example, they might rank law firms (a common type of third party in this context) on the basis of data protection controls. CyberGRX customers can then see how a particular law firm rates in the cyber security department.

Such a setup might create a problem of liability. What if a vendor disagrees with their risk score on CyberGRX? According to the company, this has not been a big issue. The third parties have generally welcomed the assessments, as it provides a savings of time for them overall and gives them the ability to correct any misperceptions one time instead of having to answer the same question over and over again.
Photo Credit: heatingoil Flickr via Compfight cc