Part 1: – “Doing It Right” – What Problem Are You Trying to Solve?

This is the first of a four part series.

This series has been designed to help CISOs and other risk management practitioners examine their programs from a unique perspective – one in which the objective problem your organization is trying to solve takes center stage and risk managers can effectively respond as that problem morphs over time.

Key to your mission statement, i.e., why your program exists, is to effectively manage the risk surrounding third party risk in your organization’s entire ecosystem. In its most basic form, risk management is “the combination of personnel, policies, processes and technologies, and processes that lets you achieve and maintain an acceptable level of loss exposure.”[1]

TPRM Objectives: What are your objectives and what should they be? It seems simple to say that risk managers must keep their eye on the ball – the overarching, twin objectives that all TPRM programs encompass, which are:

Measuring and controlling actual risk versus just managing compliance; and

Balancing that need against cost efficacy.

The members of your third party ecosystem have access to confidential information, intellectual property, and/or critical systems. Consequently, your organization is only as secure as your third party partners’ cyber security capabilities.

Gaining Context:  Benchmarking studies demonstrate that programs fall far short of the targets set for robust risk management.[2] “Cluelessness” in risk management emerges when we fail to recognize and respond to the original fundamental program goals as they change over time. For example, over the course of a three-year strategic plan for the program, the entire value proposition for a goal may no longer be relevant due to the rapid evolution of threat factors that pose new risks in the real-time environment at any given point during those three years. By adopting a static long-term strategy without allowing for it to shift in response to the actual real-world, we will have failed to correct our trajectory.

To gain context, a model that provides both qualitative and quantitative evaluation is required. In Measuring and Managing Information Risk: A FAIR Approach, Jack Freund and Jack Jones examine the Factor Analysis of Information Risk (FAIR) Model approach to risk analysis. This method adopts a standardized process with guided scoping so that you ask the ‘right’ questions in developing your risk scenarios across a range of risk probabilities and types. The result is a calibration of risk across your organization, from which risk managers can gain meaningful context and develop actionable metrics for TPRM assessments, including continuous monitoring.

Evaluating Risk & Developing Strategy: An analogy is widely used to demonstrate the value people devise around risk. This analogy is the “Bald Tire” scenario.

Think about a tire for a moment. As you visualize the tire you can see that it is very bald, so much so that the cords are easy to see. Now, before you move on to the next point jot down what risk that tire presents.

Now imagine that the tire is hanging on a rope from a tree. Does this change your view of the risk the tire presents? Make a note of your thoughts.

As you continue to imagine the tire, you notice that the rope is significantly frayed. Does this change your risk view? Make a note!

Go one step further and imagine now that the tire is hanging over a cliff, with a 100 foot drop and sharp rocks at the bottom of the cliff. Now, analyze your risk again in this new scenario?

What is your actual risk in all the scenarios? In the first scenario did you think about dangerous driving, perhaps on wet roads with catastrophic results? Were you relieved in scenario two and imagine a serene swing, only to have the serenity dashed scenario four?

You were asked to determine the risk surrounding the tire and nothing else. Most people who walk through this set of scenarios insert presumptions in each step as I noted. Did you?  In reality, in the scenario provided, the only risk is to the asset (the tire). So, what if the rope breaks and the tire plunges to its demise at the bottom of the cliff, the only lose is the minimal value of the tire.  It’s human nature to imagine threats outside of a particular risk scenario.  This is the challenge in understanding TPRM.

Now, take this exercise one step further and define a different scenario. The tire is your third party. Apply the same scenarios as above. Does YOUR risk change as outsourcer? No, your risk does not change at all, because the third party intrinsically means nothing to you yet. Obviously, there is risk to the third party; however, until that third party gains access to something of value from your company (sensitive information, critical service provision, and/or network connectivity), the outsourcer’s risk posture does not change relative to a given third party.

Controlling Your TPRM Landscape: What is the value of what your third parties are doing for you? In the answer to this question lies how you can improve TPRM maturity and get up to speed quickly. TPRM is a multi-faceted, multi-year effort. Third party risk is far too complicated to have a single magic tool. Indeed, if TPRM is worth doing, it is worth doing right. In other words, it is essential to concentrate on focusing your resources on establishing a program with strong fundamentals. Studies show that mature programs are well out of the reach of most organizations. In these programs, there is often evidence of ‘cluelessness’ where a number of factors point to the fact that an organization is wasting its time and resources (both its own and its third parties) and is not achieving its objectives for its TPRM programs. Examples include dogmatic inflexibility about trivial metrics, a lack of recognition of the diminishing value of exhaustive (unscoped) questionnaires, and development of risk formulae that are not relevant or actionable.

With disruption so common in the business model, key to creating a successful TPRM program in a short period of time and getting it up and running effectively is the application of the Observe-Orient-Decide-Act (OODA) Loop model. The Shared Assessments Program’s Innovations in Third Party Continuous Monitoring: With a Name Like OODA, How Hard Can It Be? white paper provides a deeper understanding of what the OODA Loop model is and how it applies to TPRM.

Figure: The Parts of the OODA Loop[3]

Are you Clueful about TPRM? It is easy to tell if you are “clueful” or not. If your program lacks evidence of value determinations (e.g., in the tire model), then you may be non-clueful. If your program consists of long questionnaires (non-targeted, non-directed, metrics are horrible and non-actionable), that might indicate you are non-clueful. Being non-clueful might also be demonstrated if a concern identified during an initial audit and/or regulatory examination is not addressed in a timely fashion and the same issue is still present the following year when that concern would now be considered problematic.

Recommendation: The Shared Assessments Program provides a free Vendor Risk Management Maturity Model (VRMMM) tool, which risk managers can use to conduct a best practice benchmark evaluation of their TPRM program.

When utilizing the VRMMM, be frank and honest so that you can get an accurate benchmark. The first findings will help identify deltas to demonstrate to senior management that you have set well-defined goals and are continuously improving your program.

The remaining articles in this series will examine:

Understanding and quantifying the conditions that create third party risk.

Examining your strategy:

Controlling your TP risk landscape.

Optimizing your assessment efforts.

Contracts and contract language.

Treating third parties as trusted and valued partners.

Bob Maley, CTPRP, CRISC is an award winning senior leader in information security and a strategic thinker with experience as an information security strategist designing and building information security programs for PayPal Holdings, the Commonwealth of Pennsylvania, and for the healthcare sector.

[1] Freund, Jack. & Jones, Jack. Measuring and Managing Information Risk, A FAIR Approach. Butterworth-Heinemann. 2014.

[2] Annual Vendor Risk Management Benchmark Study. 2014-2018. The Santa Fe Group, Shared Assessments Program and Protiviti, Inc.

[3] Innovations in Third Party Continuous Monitoring: With a Name Like OODA, How Hard Can It Be? The Santa Fe Group, Shared Assessments Program. 2018. Reprinted with Permission.