Use Threat Intelligence to Reduce Third-Party Risk, Says Analytics Expert Thomas H. Davenport

Posted: 21st March 2019

Everything is connected to everything else.

In the internet era, this is no longer just a New Age adage — it’s the bare truth of how business is conducted in just about every industry. And working closer together in digital spaces and sharing data more openly can certainly make the job easier for everyone. The problem is, that includes threat actors.

That’s what Thomas H. Davenport, a world-renowned thought leader and author in analytics, information and knowledge management, process management, and enterprise systems, says in his new report on third-party risk. Titled “Rating Companies on Third-Party Cyber Risk,” the report examines how threat intelligence provided by Recorded Future answers many of the difficult questions security practitioners face today, when the threat landscape has vastly grown.

“Digital ties among organizations are pervasive now,” he says. “Many data breaches, hacks, and attacks, including some of the most prominent ones, are facilitated by external digital relationships in which hackers get access to a company’s network through software or connections from a third party.”

“Companies need to know if the third-party organizations with which they do business are vulnerable to these threats,” Davenport goes on. “They also need to know if their own digital environment is secure, and how desirable a partner they are from a third-party-risk standpoint.”

The Problem With Traditional Risk Metrics

There are a few ways to measure third-party risk — “typically, numeric indicators of the level of risk in a particular company that other firms can use in deciding whether and how to do business with them,” Davenport explains. Many of these scoring systems are beginning to trend toward being more transparent about the factors that go into their scores, and that’s certainly a good thing. But there are still many problems with them.

One issue is that the assessments they offer are usually static. Something like a financial audit or an evaluation of what security certifications an organization has provides only a snapshot of a moment in time. When cybersecurity threats change daily, these assessments will inevitably become out of date — sometimes before they’re even published.

Another problem is a lack of context. Because many of these assessments don’t say anything about the actual threats that are out there — in a way, many only measure the thickness of the castle walls, not the bore of the cannons on its doorstep — they also don’t provide a lot of guidance about what to do with the information they provide. If a partner receives a high risk score, does that mean you should stop doing business with them? Not necessarily. And many systems of scoring are still not transparent about what factors go into generating their scores.

Threat intelligence, by contrast, offers a way to assess third-party risk and get that context in real time, Davenport says, and provides a much-needed supplement to traditional risk scoring methods.

3 Things to Look for in Threat Intelligence

In the report, Davenport defines some of the key criteria to look for in a threat intelligence solution.

1. The need for machine learning and automation when dealing with massive amounts of data.

“Given the scope and scale of cybersecurity-related content — literally billions of facts — there is no alternative today to using automation and AI for rigorous threat intelligence,” Davenport says.

Developing the risk scores in Recorded Future’s Third-Party Risk module takes “a considerable amount of automation and artificial intelligence,” according to Davenport. “Recorded Future is constantly collecting and analyzing content from the open web, the dark web, technical and news sources, and discussion forums. Each piece of content is analyzed, classified, and indexed using a variety of machine learning models and natural language processing capabilities. After the underlying data has been analyzed and indexed, a score based on the data can be created with a straightforward mathematical formula.”

2. The value of real-time updates to risk scores and reporting.

The problem of static assessments quickly becoming outdated also applies to threat intelligence, of course. Weekly or monthly intelligence reports provide good overviews but can’t be acted on if they come too late.

Recorded Future’s risk scores update more frequently and draw on a large pool of data, making them much more reliable for both immediate risk assessments and wider-reaching security decisions, Davenport explains:

3. The importance of transparency when providing risk assessments.

What’s the point of a risk assessment if you don’t do anything about it? The problem of information without context leaves us like the Cassandra of Greek legend — after the god Apollo gave her the gift of prophecy but she scorned his romantic advances, he cursed her so that nobody would ever believe her warnings about the future.

Transparency in risk reporting helps avoid this outcome by helping security professionals see why something might represent a real risk for themselves. Recorded Future’s risk score is “based on an algorithm that synthesizes recent threat intelligence events, which Recorded Future routinely gathers and reports to its customers,” Davenport explains:

Responding to High Third-Party Risk Scores

So what do you do when faced with high risk scores? “If your partner’s risk score is high, it would be an overreaction to stop doing business with that firm,” Davenport says. “Remember that virtually every company faces some cyber events these days; it is how they respond to them that matters.”

Instead, he explains, it should be “the rationale for further investigation and perhaps a dialogue with the company.” And on your end of things, you can look more closely at whether the risk rules that were triggered will impact your organization’s network.

The point is to be empowered to make smart security decisions, not knee-jerk ones — and this is only possible with up-to-the-minute context and evidence.

Get the Full Report on Third-Party Risk

Thomas H. Davenport is the President’s Distinguished Professor of Information Technology and Management at Babson College, a Fellow of the MIT Center for Digital Business, and an independent senior advisor to Deloitte Analytics.

He’s authored or co-authored 15 books and counting, most recently including “The AI Advantage: How to Put the Artificial Intelligence Revolution to Work,” as well as “Competing on Analytics: The New Science of Winning” and “Only Humans Need Apply: Winners and Losers in the Age of Smart Machines.”

To read his full report about third-party risk, download your complimentary copy today.