The Elephant in the Room: A Holistic View of Third-Party Risk
By Zane Pokorny on February 20, 2019
- Managing third-party risk today is critical, but many organizations face challenges like a lack of resources or insufficient information from security audits that aren’t up to date or don’t consider all sources of risk. It’s hard to get the context needed to make educated decisions about how to manage risks that stem from third parties.
- A new report from ESG says to focus on three capabilities when looking for a risk management solution: it should supplement static third-party risk assessments with real-time risk visibility metrics, it should enable alerting on changes to risk scores, and it should provide transparency so that you get more context behind what goes into a particular risk score or recommended course of action.
- A threat intelligence solution that automatically gathers and correlates data, like the Recorded Future® Platform, meets all three criteria. Whatever the source, threat intelligence is becoming increasingly essential for managing third-party risk.
Last week, we looked at some of the challenges of managing third-party risk laid out in a new report from Enterprise Solutions Group (ESG). That report “paints a rather bleak [third-party risk management] picture” — one in which many of the organizations that ESG surveyed “rely on sporadic TPRM audits by under-resourced cybersecurity and GRC teams, leading to an ongoing TPRM gap that can’t address business requirements sufficiently.”
Here, we’ll explore the solutions that ESG recommends for more effectively managing third-party risk. A big one, as we’ll see, is applying threat intelligence to all security functions in order to get a more comprehensive, up-to-date picture of your threat landscape.
The Challenges of Third-Party Risk
In the old parable of the blind men and the elephant, a group of sightless men who live in the same town hear news that a traveling circus has brought one of these creatures with them. Having never seen or heard of an elephant before, they go to learn about the beast the only way they can — by touch. One man, feeling the elephant’s sturdy legs and thick, pebbly skin, declares that the elephant is like a tree. Another man, grasping its coiling and sinuous trunk, says that it must be like a large and powerful snake. The third man, touching its wide and delicate ears, determines that it’s like a paper fan. The last man, running his hands along the elephant’s smooth ivory tusks, guesses that the elephant is sharp and unyielding like a spear.
Depending on the telling of the story, the men share their observations with each other and one of two things happens: either they suspect the others of lying and come to blows, or they realize that they each have an incomplete view and combine their experiences to create a fuller mental picture of the elephant.
It’s a simple story, but one that doesn’t look much different from the state of managing third-party risk today. Many organizations stumble in the dark, relying on incomplete or outdated information, like financial audits or requests for security certifications, to determine how risky it is to do business with a third party. Like the blind men and the elephant, these sources of information are not wrong — but relying on them alone can provide a wildly distorted picture of risk.
3 Focuses When Managing Third-Party Risk
When looking for a risk management solution, ESG recommends focusing on providers that have the following three capabilities:
1. Supplement Static Third-Party Risk Assessments With Real-Time Risk Visibility Metrics
“Rather than rely on static manual audits alone, organizations need to collect, process, and analyze TPRM data on a continuous basis,” the report explains. That means real-time data gathered from sources on both the open and dark web, like hacker activity and mentions of the companies you work with. Solutions that automate this process are essential for keeping up with the massive amounts of data collection this entails.
2. Enable Alerting on Changes to Risk Scores
“Third-party risks are subject to changes related to factors like software vulnerabilities, publicly disclosed data breaches, and cyber adversary tactics, techniques, and procedures,” the report says. Look for risk scoring that changes in real time and is transparent about its sources — “To improve the signal-to-noise ratio,” ESG says, “alerts should be tunable so cybersecurity teams can focus on the most pressing issues.”
3. Provide Transparency
The decisions security professionals need to make daily are slightly more nuanced than deciding when to drive through an intersection — “Cybersecurity and GRC professionals need more than red, yellow, and green TPRM metrics,” the report says. But many forms of risk scoring are slow to update or opaque about the methodology or data that goes into generating a particular score. Risk scores should provide details and sources. The context these alerts and risk scores provide help different security functions work better together and make more informed decisions around mitigating risk faster.
Managing Third-Party Risk With Cyber Threat Intelligence
All three capabilities outlined above are fulfilled by a complete threat intelligence solution like the Recorded Future platform, the ESG report notes. Recorded Future relies on machine learning and natural language processing to automatically gather massive amounts of data from the open and dark web, as well as technical sources, all in real time. Most importantly, it provides context — ”The company understands the value and importance of augmenting risk data from direct threats with data specific to indirect threats from third parties,” ESG writes, “and that this data must be available in real time to accurately reflect the current risk profile of third-party organizations.”
What that context gives you is the confidence to make informed decisions, because it’s really context that matters, not just the amount of information itself — without context, the different security functions within an organization end up like the blind men in the unhappy ending of the story, bickering and fighting with each other over what the elephant looks like, ignoring the bigger picture.
The same goes for managing third-party risk. An alert about a third-party supplier that arrives without context doesn’t do much other than raise everyone’s cortisone levels. Do we cancel our business with this supplier? Do we ask them to look into it and sit on our hands in the meantime, or do we need to take action within our own network? Is this an alert about a vulnerability that affects any data or systems that we share with that supplier, or is this something I don’t need to worry about right now? These kinds of questions are all better answered with the context provided by a threat intelligence solution like Recorded Future.
To take a closer look at the recommendations that ESG provides, including a more comprehensive view of the solution offered by Recorded Future, download your complimentary copy of the report.