Risk-based vs. Classification-based Risk Management
This topic has emerged from an overarching and strangely off-kilter attitude in Third Party Risk Management (TPRM) – the attitude that vendor classification can take the place of a risk-based framework and quantitative analysis of risk.
Classification is tactical, not strategic. A classification-based approach looks in the wrong direction when examining third parties, and has contributed to the increasing number of breaches worldwide. An example of classification is the concept that any third party with access to data containing personally identifiable information will automatically be classified as high risk, based on the organization’s classification system. This logic assigns a high risk classification without any underlying advanced analysis that would reveal the true economic impact of a cyber event at that third party. This approach can also go wildly awry when a vendor is classified as low risk, yet poses a significant real-world risk. This “classification-based” approach to risk management is not a true risk-based approach.
A risk-based examination of third parties is strategic, facilitating better decisions and outcomes. The strategy mirrors shared goals across the organization for TPRM – constructive collaboration and consistency at scale. An example of risk-based management is the FAIR© framework, where risk is defined as ”the probable frequency and probable magnitude of future loss associated with a specific event,” or the “economic impact.”
Critical elements of good risk management get lost in classification-based systems. Without proper analysis of the third party, appropriate key indicators cannot be identified for that third party, the wrong processes may be automated, resulting in wasted resources and flawed decisions.
This mismatch is clearly demonstrated in the data from the last half decade, demonstrating we are not changing the landscape in favor of fewer breaches and safer systems. Data breaches caused by third parties cost millions of dollars to large companies and are often devastating to small businesses. A recent survey conducted by the Ponemon Institute revealed that 59% of organizations have experienced one or more data breaches caused by a third party, costing an average of $7.5 million to remediate.
How can you make a difference in your third party ecosystem? What can we do differently to gain traction?
Get back in focus: Why bother with third party cyber risk management in the first place?
Compliance during audits or other examinations drives many TPRM programs. If the business goal is strictly to avoid fines in the event of a breach, focusing on compliance is a good strategy. But the business goal can be (and arguably should be) refocused more broadly on reducing the probable financial impact of a cyber event at a third party (reputation/market share losses, fines, etc.) When refocused in this way, stopping the breach from happening in the first place becomes a key strategic goal.
In risk-based TPRM, we can better understand the probability of event occurrence and impacts. It isn’t always the Tier 1 vendor who poses the highest risk. Any third party who touches company data should be continuously monitored as part of the TPRM program. This is well-demonstrated by the record of breaches. In 2013, third party breaches became more broadly on the radar for risk managers, boards, and the public after multiple news headlines. In 2016, these headlines increased even more.
Gauging program maturity – how does this impact process and management?
Third Party Risk Management has become a very complex process with an overall compelling value.
For an in-depth review of the value of the TPRM process, see the full report CISOs Investigate: Third Party Risk Management. Security Current, which can be downloaded here.
It is important to note that what is in the process is not the same as the maturity of the process. In the CISOs Investigate: Third Party Risk Management report, the authors note that: “The maturity of many TPRM programs is generally low or at best partially deployed, nor is a maturity model used to assess it therein (for example the Vendor Risk Management Maturity Model – VRMMM – by SharedAssessments.org).”
The VRMMM is a peer-reviewed, free tool risk managers can use to conduct a best practice benchmark evaluation of their TPRM program. The VRMMM helps TPRM practitioners at all levels of goal setting, program development, and continuous program improvement. The tool identifies all the components within a mature process. However, there are over 200 components listed for examination. The question of whether a program is mature is not only about what components are in place, but whether the overall TPRM process you have in place has value? For anyone to hit maturity on all of these points – that’s a unicorn. In reality, perhaps we can better focus on key areas of process and management – for instance, contracts – and determine how we can execute that process most effectively.
The challenge in reaching a useful level of maturity lies in programs where TPRM is based on a classification model, instead of a risk-based methodology. If you are using a classification model:
- You are probably applying more process to low risk vendors than is needed.
- Assessment processes are conducted based on a given class, which may include factors such as voluminous control questionnaires, extensive contract language, policy reviews, onsite visits, and a number of other processes that should be in place in a mature TPRM program. All of these processes can be complex, time consuming and expensive to both your organization and your third party. When you add the requirements, some regulations imposed for third party continuous monitoring can overload your team, miss important issues, and lose sight of the goal of reducing the uncertainty around your third party risk in the process grind.
- Another problem associated with classification-based approaches is that you have a certain set of procedures/processes in place for critical vendors. When you tell a regulator that you follow those processes, you are now bound to those processes. In reality, basing your processes on this type of classification misses the point. Those processes may not apply to all your vendors (or even your critical vendors). Those have costs associated, which may be out of sync with your actual, real-world needs (too much or too little).
In Implementing Enterprise Risk Management: From Methods to Applications, James Lam gives an overview of a Risk Assessment. He also lists the key benefits of a risk assessment, one of which is “improved business performance through risk-based decision making.” A company outsources for business and economic reasons, so it only makes sense to create a TPRM process with this as a primary goal. Lam also goes on to list common obstacles that prevent achieving full benefits. One of these is “the inability to develop an overall risk profile due to the vast amount of qualitative data, which may be difficult to aggregate, prioritize, and quantify.” This very reason drives program managers to use a classification-based system in place of risk-based. It is easy to say that Vendor A does this, making it a Tier 1 instead of doing the “extra” work to quantify the risk.
In many instances, the inability to complete the perceived workload is blamed on the immaturity of TPRM programs, including the lack of adherence to industry standard best practices. In Jack Freund’s article on third party risk management, Freund outlines the process for putting a mature program into place. He hits the heart of the matter, “An advanced approach to third-party risk rating will reflect the economic impact of any third-party data compromise or interruption of service on enterprise business objectives. Fundamentally, the ideal methodology connects cybersecurity consequences to business goals.” Yet, classification methods continue to be applied that tactically do not match the strategic goal they should be meeting.
What do you do with cyber findings and why?
The mismatched focus on classification-based tiering creates a situation in which decision making can be skewed. Typically, critical/high/medium/low or 1, 2, 3 classifications are used. The challenge in those constructs is that you are missing the potential financial impact of the relationship with that vendor. A key example is the automation of processes designed around classification. Instead of streamlining TPRM due diligence, the wrong things are just being done faster. If the communication is ineffective, even the best information will not be used well.
When you use a risk-based approach, the questions you ask change regarding what you do when you uncover cyber findings at a vendor. When you set a goal to reduce the number of breaches, people will gravitate toward qualitative reporting, (such as one based on colors) because it is easier than using technical jargon. However, this doesn’t hold up. It is not just the indicators being evaluated, it is the focus and the way in which that information is being gathered and communicated that matters. If the indicators are not aligned with goals, then the communications lose value and impact.
A risk-based approach provides for clearer communication. It allows you to set expectations with third parties by identifying key issues, such as information transfer and resources that are regulated by the contract ahead of starting work. The key point is to establish clear goals and requirements for third parties (and their Nth parties) to meet the same level of risk management expectations that the outsourcer sets for itself. These include parameters such as data handling, dispute processes, governance models around data privacy, audit provisions, and maintaining the independence of assessments. By defining key issues, both parties are assured a greater likelihood of success in meeting those requirements.
By ensuring that risk is defined and communicated effectively, what cyber findings mean in the context of that unique relationship becomes more clear. In turn, that means when you have cyber findings, they can be compared to the baseline set for the relationship and a determination can be quickly made about the need to remediate the findings, accept the risk, or terminate the relationship. That means that less resources are required to achieve good risk hygiene.
How to not be the Department of “NO”.
TPRM can provide better visibility, and ideally full visibility into the breadth of the company’s activities. When communicated well, this visibility provides stakeholders with the information they need to address vendor remediation effectively in a way that is tied directly to risk, risk appetite, and business needs.
InfoSec gets seen as the “Department of No” – obviously not team-building – a silo-crushing reputation. The security mission can be linked directly to business growth drivers. By keeping the shared goals in focus, you can become a key strategic partner, showing the business unit HOW to do what they need to do. Instead of ‘No’, express how to effectively do what needs to be done at the business level to manage risks related to the unit’s activities.
Speak in terms the business unit’s personnel can understand. Be clear, be specific, provide a path that can be followed and adapted as needed on the ground in daily operations. The value of risk can be communicated as it relates to your organization’s unique risk appetite and the specific risk a vendor relationship poses over time. The factoring of risk has to be aligned with the service provided. And automation change management must allow you to know when benchmarked indicators show that the process is acceptable and hygiene is good. Being able to distinguish good change from bad change is the key to streamlining and getting consistency.
“Structured properly the TPRM program will function proactively as a critical stakeholder in new business initiatives, the pursuit of new verticals, and M&A efforts. As the organization becomes more accustomed to engaging with the TPRM program it will hit a scalability tipping point.”
Conclusion – How do you make a difference in your Third Party ecosystem?
In a world where the supply chain is becoming more important, does adding more process and control actually help? No – we do third party cyber risk management because the consequences can be significant, if not catastrophic. It is critical to do it – and do it right.
Have we been applying a strategic view of why we are doing cyber TPRM? Again, No – the tactics being employed today and the fact that we have failed to move the needle on third party breaches and events shows that we are not meeting strategic goals for reducing breaches. The value proposition has to change.
Practitioners focusing on classifications as the basis for their third party due diligence are suffering under the illusion that they are carrying out risk-based management; while in reality the classifications being made are not risk-based. Classification is essentially a qualitative process that is acceptable as normal in TPRM – yet it repeatedly falls short. Classification is an easy, checkbox solution. In reality, we have to be more strategic. We don’t have all the resources in the world to throw at every possible problem. And classification can lead us to pay attention to or ignore the wrong threats. Bruce Schneider refers to this as “security theatre” – it makes people feel good, but we’re missing the point.
In her 2016 book “The Gray Rhino: How to Recognize and Act on the Obvious Dangers We Ignore,” Michele Wucker used the image of a gray rhino to represent “a highly probable, high-impact threat: something we ought to see coming, like a two-ton rhinoceros aiming its horn in our direction and preparing to charge.” History is showing us that the threat of a breach via third parties is a gray rhino, and not a black swan event. Wucker goes on to say that “Most Gray Rhinos are not the case of signals that were too weak but of listeners determined to ignore them and systems that encourage and accept as normal our failure to respond.”
Truly understanding what risk (probable financial impact) is for every vendor has historically been daunting and difficult, so classification is better than nothing, right? In reality, classification is an integral component of a proper risk assessment, but should not be used in lieu of a risk-based approach.
The things you can do that can make a real difference and how you can consistently execute them at scale over your entire ecosystem can be done through a risk-based methodology.
It has become imperative that we move to a true risk-based process to achieve strategy level goals. We’ve concluded that it is going to take a radical new methodology for us to be able to make better business decisions around third party engagements. Key concepts can be integrated into an existing program with ease, resulting in constructive collaboration and success at reaching scale moving forward.
NormShield reduces the uncertainty of your cyber risk with a high quality platform that does the work for you. Created from a hacker’s perspective, we’re not another cyber rating tool. Our platform tells you which vendors pose the highest risk to your company without creating more labor on your end. The platform is scalable, all-encompassing, and tailored to identify your problem areas. NormShield is also the ONLY cyber risk rating system that can measure the cost associated with a potential third party cyber breach. Know the risk every organization in your ecosystem poses in dollars and cents.
Learn more at www.normshield.com
Featured image by freepik