Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:00 AM
Doug Clare
Doug Clare
Connect Directly
E-Mail vvv

Best Practices to Manage Third-Party Cyber-Risk Today

Bold new thinking is needed to solve the rapidly evolving challenge of third-party risk management.

Just five years ago, many companies focused their cyber defense efforts almost entirely on their own organizations. Today, they are increasingly concerned about third-party risks, with good reason.

According to Ponemon Institute's "US Cost of a Data Breach Study," third-party organizations accounted for 42% of all breach cases, dropping only slightly from 44% of all cases in 2008. These remain the costliest form of data breaches due to additional investigation and consulting fees. With the number of connected third parties increasing, and an explosion of cyberattack techniques and risk vectors, third-party risk management (TPRM) best practices are quickly evolving in surprising new ways.

One of those surprises is that enterprise cyber-risk teams are not taking responsibility for breaches that may occur. At a recent Cyber Series event, sponsored by the US Chamber of Commerce and FICO, Chris Wallace, director of cyber-risk at T-Mobile, described his bold approach: "My team gets to walk a line between business and security," he said. "Their mantra is, 'We take a risk-based approach to prioritizing and dealing with issues.' Everyone walks away from the discussion with a consensus on the next steps for doing business. That's my goal — to ensure that we have a common ground, and everyone understands what they're getting into."

Slot Vendors into Categories Based on Risk
Although T-Mobile is a large, well-resourced enterprise, a best-practice TPRM process will have the same basic elements, regardless of an organization's size: 

  • First, build a framework for third-party categorization, to identify which partners need a deeper assessment based on their role in the organization's business activities, and the size and criticality of the relationship.

  • Develop workflow to address the intersection of risk and criticality. Working from the categorization framework, risk managers can use cybersecurity risk quantification tools to create portfolios of third parties. In this way, cyber-risk and business impact/criticality can be considered together.

  • Establish a cadence to frequently assess high-impact suppliers, through an analytic approach that combines business criticality and risk.

  • Ensure appropriate risk transfer, typically achieved through insurance. A simple approach considers the intersection of supplier risk and criticality, and requires insurance from suppliers where additional protection is indicated. Risk mitigation is also an option, either by increased third-party controls or additional controls at the organization.

All vendors, and even the same type of vendors, are not alike in a properly executed TPRM program. For example, a media company that is shooting an ad about a product that has already been publicly announced will have a different risk profile than a media company working on a video regarding information that hasn't yet been made public. Clearly, stricter control sets should be applied to certain vendors.

Qualitative Assessment Is Key
Unlike the traditional "check the box" approach, today's TPRM best practices include both qualitative and quantitative assessment of business partners. "These measures complement each other," T-Mobile's Wallace said at the Cyber Series event. "There's always a push in risk management to make risk black and white, with hard data that shows what's good and what's bad. A risk model needs to blend the two. With a foundation of hard data and facts — such as who has access to certain data, how many people have it, and where data is going to and coming from — vendors should take more of an analyst's approach to looking at it further."

"For any vendor," he continued, "an analyst can further assess risk by looking at security risk scores or comparing the risk scores of similar businesses that organizations have worked with in the recent past. All of this information is used to build a third-party risk model and threat profile that takes into account both subjective information and objective measurements and balances this piece to allow us to be more hands-on in forming a judgment."

Though it has a vendor ecosystem numbering in the tens of thousands of partners, the best practices T-Mobile is following can benefit organizations of any size.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "What Should I Do If Someone Is Impersonating My Company in a Phishing Campaign?"

Doug Clare is Vice President of fraud, Compliance, and Security Solutions at FICO. In this role, Doug heads FICO's fraud, financial crime, and cyber-risk businesses. With more than 25 years at FICO, he has deep expertise in helping banks and other businesses manage fraud, ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Cyberattacks Are Tailored to Employees ... Why Isn't Security Training?
Tim Sadler, CEO and co-founder of Tessian,  6/17/2021
7 Powerful Cybersecurity Skills the Energy Sector Needs Most
Pam Baker, Contributing Writer,  6/22/2021
Microsoft Disrupts Large-Scale BEC Campaign Across Web Services
Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-22
Trusty TLK contains a vulnerability in the NVIDIA TLK kernel function where a lack of checks allows the exploitation of an integer overflow on the size parameter of the tz_map_shared_mem function.
PUBLISHED: 2021-06-22
Trusty TLK contains a vulnerability in the NVIDIA TLK kernel�s tz_handle_trusted_app_smc function where a lack of integer overflow checks on the req_off and param_ofs variables leads to memory corruption of critical kernel structures.
PUBLISHED: 2021-06-22
Trusty TLK contains a vulnerability in the NVIDIA TLK kernel where an integer overflow in the tz_map_shared_mem function can bypass boundary checks, which might lead to denial of service.
PUBLISHED: 2021-06-22
Trusty contains a vulnerability in TSEC TA which deserializes the incoming messages even though the TSEC TA does not expose any command. This vulnerability might allow an attacker to exploit the deserializer to impact code execution, causing information disclosure.
PUBLISHED: 2021-06-22
Trusty contains a vulnerability in all TAs whose deserializer does not reject messages with multiple occurrences of the same parameter. The deserialization of untrusted data might allow an attacker to exploit the deserializer to impact code execution.