May 9, 2024
Cyber Risk

Agreement at the Third Party Risk Management Assn Conference: Rethink TPRM or Kill It

By Vince Dasta

Time for a risk-based approach to TPRM that gives actionable insights

Agreement at the Third Party Risk Management Assn Conference: Rethink TPRM or Kill It

Ram Vemula and I were privileged to represent Safe Security as speakers at the recent annual conference of the Third Party Risk Management Association (TPRA). It was a great experience to see so many risk and security professionals on a mission to solve one of the biggest challenges in cyber defense: Sixty percent of cyber attacks are initiated from a third party, vendor or supply chain partner.

Yet third party risk management (TPRM) is broken - that was the consensus we heard at the conference. Our talk was on the theme of “rethink TPRM or kill it” and we saw a lot of heads nodding in our audience. Here are some key takeaways from sessions and hallway conversations at TPRA.

5 Themes from the Third Party Risk Management Association Conference

1. TPRM Needs to Grow Up Fast

Maturing TPRM programs was a continuing theme throughout many sessions. Attendees are looking to standards bodies to develop frameworks that move from simple, compliance-based checklists to maturity- and risk-based frameworks.

2. Most Third-party Risk Management Products on the Market Just Aren't Cutting It

We heard a long list of complaints about the available tools for TPRM, including:

  • Inconsistent risk reporting among applications
  • No real science behind any methodology
  • Third-party questionnaires take way too long to complete and process
  • Outside-in scanning applications produce many false positives
  • No actionable insights generated

3. Give Us AI and Automation (that We Can Trust)

Expectations ran high at the conference for improvements in TPRM through these new technologies. AI and automation are becoming integral in TPRM for their efficiency and precision in risk assessment processes. Automated processing of questionnaires and attestations are becoming table stakes for products and platforms.

While practitioners are eager to reduce their workload, skepticism still exists over how these tools will interpret evidence and evaluate risk. Without strong open models and transparency around risk methodologies these tools will not be valuable. Our sense of the state of play after TPRA: We see the potential of AI to transform traditional risk management practices, but only when supported by an open-standards approach to risk management.

4. Help Us Navigate Regulatory Compliance and Standards

There was an entire track dedicated to the importance of compliance with global regulatory frameworks in managing third-party risks. DORA, GDPR, CCPA and other emerging regulatory and privacy requirements are driving much of the work TPRM teams are undertaking today. The industry is still in the “compliance” phase of this journey and is looking for opportunities to increase ROI on these investments beyond just meeting regulatory requirements.

5. Engage the C-suite in Third Party Risk Management

Several sessions and many questions during our session, emphasized the need for executive involvement in risk strategies to align TPRM with business objectives. It was a key theme during the financial regulators keynote session, with both the OCC and FDIC discussing how top-level management can drive TPRM effectiveness. Key quote: “The most effective companies understand the role of the C-suite in fostering a culture of proactive risk management.” But CISOs and other front-line security and risk managers need to do their part by communicating on TPRM to executive management in non-technical, dollar-value terms they understand.

Safe Security's Message to the Third Party Risk Association Conference

In our talk, Ram and I made the case that fundamental change is needed, moving away from audits and compliance based, reactive firefighting to risk-based, proactive third-party risk management. We introduced FAIR-TAM, the Third Party Risk Assessment Model, part of the family of models based on FAIR (Factor Analysis of Information Risk), the open standard for quantitative analysis of cyber risk. SAFE TPRM implements and automates FAIR-TAM for TPRM.

Key FAIR-TAM Principles Implemented by SAFE TPRM

1. Third Party Risk Management Based on Risk

SAFE TPRM calculates the dollar risk and breach likelihood of different risk scenarios that could be generated by a third party and impact the enterprise's bottom line. That enables tiering vendors based on loss exposure instead of the arbitrary practices from the past such as rating based on size of vendor contract. It also creates parity between first party and third party risks, so for a unified view of assessment.

2. Comprehensive, Continuous Monitoring

With AI, SAFE TPRM automates the moving parts of supply chain and vendor risk management that now slow the process down to a crawl. This includes automated, LLM-powered ingestion of questionnaires and compliance documents such as SOC, ISO, or NIST reports. Through telemetry automation, SAFE TPRM captures real-time data from various sources, including direct feeds from security tools for inside-out and outside-in scans. SAFE TPRM incorporates zero trust principles to deliver real-time insights into organizational controls to reveal how effectively first-party controls are safeguarding against potential third-party breaches.

3. Actionable Mitigations

With its grounding in the FAIR standards for risk quantification SAFE TPRM is able to deliver prioritized, ROI-driven recommendations in dollar terms. These actionable insights guide business leaders in working effectively with vendors to address and reduce cybersecurity vulnerabilities, ensuring investments in security yield measurable risk reductions.

Learn more:

Why You Should Make the Switch to SAFE TPRM Today

Contact us for a demo of the power of SAFE TPRM to solve the problem of third-party risk.

Special Offer!
We're running a special promotional offer for a limited time only. Get a 50% reduction in your current TPRM contract value (Conditions apply)