9 Things to Ask a Potential Risk Management Vendor
As Third-Party Cyber Risk Management (TPCRM) evolves, organizations are finding themselves in the precarious position of knowing that their third parties bring with them an increased level of risk, while being unsure if their current methods of managing third-party cyber risk are sufficient–or even effective.
Here are 9 questions to ask any TPCRM solution provider you’re considering:
There are various tools to assist with TPCRM, but not all offer the breadth needed to completely protect against cyber threats. For example, Governance, Risk, and Compliance (GRC) and workflow tools help organize and prioritize risk assessment programs across multiple teams and third parties.
These tools allow companies to manage and integrate regulated IT operations in its entirety, and some have specific third-party risk management modules, but they’re often limited in their scope and functionality. Some are merely one offering in an entire product suite, so the specialized approach that’s required for TPCRM is lacking.
1. Do you specialize in third-party cyber risk management (TPCRM) capabilities?
It’s important that whatever TPCRM approach you utilize provides you with complete visibility into the full cybersecurity postures of your third-party ecosystem. There are a number of tools out there that just provide a very narrow view, however, so you remain vulnerable to many threats that aren’t reflected in the information you’re provided.
For example, security ratings attempt to quantify the cyber risk associated with an organization by aggregating various external data sources. Those sources can include news sources, breach aggregators, credit card investigations, internal breach disclosures, chatter on the dark web, and sometimes even social media. While security rating tools can be used on their own, they are only one part of a third-party cyber risk management program as you’re leaving your organization open to many unknown threats.
2. Does your third-party risk management solution incorporate a wide range of intelligence inputs?
If the cybersecurity assessments on an exchange are customizable, then it’s not a true exchange. A true exchange is built on a dynamic, structured dataset which provides rich analytics and actionable insights. Without a structured dataset, the solution is merely a static repository of data that quickly becomes outdated.
A standardized risk assessment process that collects data in a structured format enables both third parties and enterprises to perform analytics on that data and derive insights. It also reduces the redundancies and inefficiencies that bespoke assessments place on third parties, creating more time for you to focus on strategic risk management.
When you’re able to easily see patterns across your entire portfolio of third parties, you can make quick decisions about what risk to mitigate first. This way your team can be most effective with the least amount of effort.
3. Are your assessments customizable to help me manage multiple frameworks and compliance needs?
Most companies end up finding out about a breach of one of their third parties in a news headline, but oftentimes it’s already too late and the fallout has made its way down the line.
It’s important that your TPCRM solution not only give you visibility into your third-party ecosystem, but also that it alerts you to third-party breaches within your portfolio. That way, you’ll have the vital information and context needed to assess the possible impact on your business and collaborate with the affected third party to assess and manage the risk.
4. What kind of continuous monitoring capabilities does your solution have?
Assessment chasing is when you’ve requested a cybersecurity assessment from a current or potential third party and you find yourself needing to constantly follow up or “chase them down” for it to get completed.
These delays mean additional resources need to be expended to ensure the assessments get completed. And more troubling, when assessments aren’t completed in a timely manner, your company is left vulnerable to unknown risks for however long it takes to receive the completed assessment.
Luckily there’s a game-changing new capability called Predictive Risk Profiles that forecast how a given third party will answer assessment questions based on factors like firmographics, threat intelligence, outside-in data, and similar completed assessments on the exchange with up to an 85 percent accuracy rate. This feature, exclusive to CyberGRX, eliminates the need for assessment chasing.
5. What options do I have if my third parties can’t or won’t fill out a security assessment for me?
Because the CyberGRX exchange is the only one that collects standardized data from thousands of companies, a Predictive Risk Profile can be created for every company. Each company can then view and share their Risk Profile as they see fit, enabling transparency and collaboration to address control gaps and risk remediation strategies.
If a cybersecurity assessment cannot be viewed through the lens that means the most (and provides the most value) to your organization, you’re wasting resources and opening yourself up to vulnerabilities. TPCRM solutions that offer customizable assessments lack this capability as they don’t utilize standardized data, which means you lack vital visibility into your vendor security postures and lose the ability to quickly identify and mitigate risk.
CyberGRX’s Framework Mapper allows you to map our data to other assessments and frameworks, enabling you to move away from custom and redundant approaches, reduce time spent on assessments, and create comprehensive risk mitigation strategies. It has flexible reporting options such as sort/ filter by compliance area and domain, controls, benchmark and comparison, etc., to ensure your data is presented in the way that makes the most sense for you and your customers.
6. Can I map your assessment to any framework, whether it’s our custom one or standard industry ones?
New cyber threats are constantly emerging and evolving so taking a one-size-fits-all approach to detection and mitigation leaves you vulnerable to attack. Threat profiles are use cases that bring together the type of bad actor, their target(s), and the attack lifecycle (aka killchain) as a series of MITRE ATT&CK® techniques used to achieve the compromise.
This data can then be used in ongoing threat monitoring and remediation efforts. When threat profiles are incorporated into a TPCRM solution, organizations can take advantage of the visibility into how a third party aligns against each identified control. If any controls are missing or absent, the company can follow up with the third party in question to request remediation.
7. How will I know if my third parties are vulnerable to the latest data breach?
A Ponemon study found that the average organization works with over 5800 third parties. That’s a lot of security assessments needing to be filled out and data analyzed! The way it’s being done today—the assessment chasing and maintaining of static spreadsheets—is not scalable and many organizations can’t keep up with the process.
The current method of performing third-party cyber risk management creates backlogs and isn’t allowing security and risk professionals to accurately and sufficiently manage risk. It’s become about checking a compliance box, which may keep auditors and regulators at bay, but not bad actors. It’s important to have a solution that lets you quickly determine the cybersecurity posture of your third parties in order to keep the assessment process and vendor onboarding moving forward smoothly.
8. How scalable is your solution?
An important hallmark of a good TPCRM program is that it scales with your business.
With organizations having an average of over 5800 third parties in their ecosystem, manually identifying inherent risk for each costs valuable time and resources. It’s important to be able to rapidly identify and prioritize the vendors who pose the most risk, to ensure your company remains protected at all times.
With AIR Insights™, you receive rapid and automated insights on the potential likelihood that each of your vendors will have a cyber incident and how it would impact you. This capability is critical to any TPCRM program as it enables you to create a prioritized assessment strategy and focus on the third parties that matter the most, accelerating your ability to perform accurate due diligence on your entire portfolio.
9. Does your solution help me to prioritize which of my third parties are relevant and pose a critical risk to my organization?
Third-Party Cyber Risk Management For Dummies discusses this new world of third-party cyber risk management in five chapters: Understanding Third-Party Cyber Risk Management, Communicating the Importance of TPCRM, Tackling the Traditional (and Outdated) Approach to TPCRM, Evolving TPCRM With a Data-Driven Approach, and Ten Ways to Make Your TPRCM Program Successful.
Third-Party Cyber Risk Management For Dummies
Join CyberGRX CEO Fred Kneip and Chipotle CISO Dave Estlick as they kick off this 4 webinar series covering all chapters from the recently released guide, Third-Party Cyber Risk Management For Dummies.
Watch the Webinar: Cyber Risk Management for Dummies
CyberGRX standardizes third-party cyber risk management, making it possible to achieve insights, prioritize risks, and make smarter decisions across your entire vendor ecosystem. Driven by sophisticated data analytics and automation, real-world attack scenarios, and real-time threat intelligence, CyberGRX provides customers comprehensive and ongoing analysis of their vendor portfolio.
Watch the Webinar
Get the Book & Join the Webinar
Data without insight is just noise