To Manage Third Party Cyber Risk, First Change Your Culture

Can you answer, ‘Who are my riskiest supply chain partners?’ Probably not.

by Vince Dasta

Third-party risk management at many large enterprises runs like a well-oiled, high throughput machine. Typically, TPRM (AKA supply chain or vendor risk management) is a well-established legacy of legal and compliance departments, designed to meet the specific requirements of regulatory agencies or audit standards. 

TPRM teams may distribute questionnaires to vendors or supply chain partners, asking them to attest to their protective cyber controls in place. Or use services that offer a one-click risk rating on a vendor, based on scanning their controls from the outside.  

Third-party cyber risk managers then just need to assign a high, medium or low risk tag to the third party and wave them through to the next level of approvers. 

There’s Just One Problem with TPRM

It isn’t effectively managing risk. An RSA Conference survey in 2024 found that “87% of Fortune 1000 companies were affected by a significant cyber incident at a third party in the past 12 months.” The widespread damage inflicted by the Change Healthcare and CrowdStrike outages are other glaring data points. 

CISOs and executive risk owners grow increasingly frustrated with the state of TPRM that can’t answer basic questions (like “What are my riskiest third parties in terms of loss exposure?”) in a defensible way. 

But so are risk managers who understand that they’re tasked with busywork that doesn’t influence serious decision-making; the business typically has decided to go with the vendor before ordering the pro forma risk assessment. 

From Compliance-based to Risk-based TPRM

We designed SAFE’s SAFE TPRM solution to move TPRM from its compliance-based past to a risk-based future. SAFE TPRM: 

>>Continuously consolidates third-party risk data from outside-in scans and questionnaires, plus inside-out assessments, and aligns the findings with external threat intel to provide a unified view of the organization’s risk.

>>Recommends only the most effective controls for TPRM, as determined by extensive research into cyber incidents

>>Prioritizes vendors in tiers based on loss exposure to target risk management efforts.  

>>Gives defensible, quantitative outputs based on recognized risk assessment standards (FAIR, MITRE ATT&CK). No more vague “high/medium/low” talk. 

Onboarding a third party on SAFE TPRM

As the leader of many SAFE TPRM onboarding engagements, I can tell you that TPRM managers quickly adapt to our intuitive platform, and can easily start running risk assessments.

But don’t mistake the SAFE TPRM solution for a typical software onboarding. To truly manage third-party risk, organizations need to onboard a culture shift. We’ve seen these steps to success for TPRM managers:  

1. Start thinking in risk terms, as defined by Factor Analysis of Information Risk (FAIR), the standard for quantitative cyber risk analysis and the basis for SAFE’s risk analysis and risk management capabilities. The team also needs to start thinking of themselves as risk analysts and advisers – not facilitators of an approval process. 

For example, “I rated this vendor as Tier 1 because the magnitude or likelihood of a data breach as determined by analysis on the SAFE platform would be above our established thresholds.” 

Or “I rated it Tier 4, with low enough magnitude and likelihood and no red flags in the outside-in scans so we don’t even need to require a questionnaire.”  

Third parties ranked in tiers on SAFE One platform 

2. Update their view of controls from the old point-in-time outlook.  The FAIR Controls Analytics Model (FAIR-CAM) operationalized on the SAFE TPRM platform gives a real-time read on the status and effectiveness of any control and set of controls. It’s complemented by the FAIR Materiality Assessment Model (FAIR-MAM) for accurate data on the organization’s loss exposure. TPRM finally gets up to speed with the threat landscape and control environment. 

3. We help our users understand where third-party risk assessments fit in the complex chain of vendor management that also includes compliance and legal reviews. 

4. The TPRM team needs to start viewing third party organizations as an extension of their attack surface because the lines of demarcation are becoming increasingly blurred. Only the SAFE platform shows this unified view that aligns with the reality of cyber risk: Third party risk is now on a par with first party risk. 

Additionally, taking a scenario-based view of risk allows analysts to understand and account for important business context and outcomes. Understanding how loss may materialize as a result of a vendor relationship is what really matters. A score or rating without context doesn’t help the business make decisions. Understanding that a particular vendor issue increases their susceptibility to ransomware by 15% and that an outage at this vendor would have a material financial impact to our company is much more valuable information than saying “fixing this vulnerability will increase their score by 10 points over the next 3 months.”

5. Tiering vendors – plus automation on the SAFE TPRM platform –  leads to major savings of time and effort and positions the TPRM team to keep up with the often frantic pace of new vendor onboardings at a large enterprise.  

Unified view, first- and third-party risk

SAFE TPRM Onboarding Timeline Bakes in a Culture Shift

The first two weeks of a five-week onboarding engagement are really about scoping the culture, mapping the complex flow of third party cyber risk management at the organization, and gauging the readiness of the organization to change. We also provide training in FAIR risk scenario analysis, FAIR-CAM and FAIR-MAM, at a high level. 

The onboarding of third parties is also calibrated to the organization, beginning with a single test case in week three and ramps up from there to 10 and then hundreds.

Throughout, we keep the analyst at the center of the process. Unlike other solutions that just aim to get to a high/medium/low as quickly as possible, for instance based on an outside-in scan of controls, SAFE TPRM anticipates humans will step in to understand the context of a risk assessment in terms of the business problem they are trying to solve, balance those FAIR readings on likelihood vs. impact and tier their third parties accordingly. 

Learn how SAFE TPRM changes the game in third party cyber risk management – book a demo now.