A little actually doesn’t go a long way: Fight the urge to shortcut your TPRM program

Why isn’t my TPRM working better?

Third Party Risk Management (TPRM) is hard to get right. Ineffective TPRM is when 83% of legal and compliance leaders identify third party risks after due diligence, despite spending 73% of effort on due diligence.* This is supported by 49% of business leaders saying they lack a centralized strategy for use of third parties, 42% of them saying they lack criteria for distinguishing important third parties, and 42% saying there is not enough attention paid to downstream risks.*

The results are in. Many security leaders feel their organizations have slow, risk-unaware vendor evaluation, and only deal with resilience, legal, operational, and cybersecurity risk considerations after the contract is signed. These lead to productivity loss and higher cyber risk exposure.

The paradox is that by putting some effort up front but becoming comfortable that a little bit is good enough, an organization may relax thinking that they have covered the bases. Unfortunately, a significantly higher amount of effort is spent managing risk after contract signing or, worse, after the third party has already had a breach or operational failure.

*Data based on Coalfire market research and analysis performed 2022

How can I build a strong TPRM program?

A solid and efficient TPRM program is one with a single assigned owner who knows what the business does, how the business is supported by IT and vendors, seeks input (and gets buy-in) from key internal stakeholders, and seeks to enforce risk management around third parties commensurate with their type, value to the organization’s service delivery, and potential risk exposure.

You have done your due diligence and decided to move forward, or it is time for contract renewal. How do you do it right?

1. Understand your key business outputs and revenue drivers. Does your business primarily provide SaaS-based solutions, or provide professional services? Does it manufacture or deal in logistics? Is it a small healthcare clinic or a national conglomerate of hospital networks? Do you serve businesses or end consumers first? Document and focus on revenue drivers; these are areas where any vendor involvement will need higher risk management.
2. Know you are not alone - seek inputs from those teams (developers, plant managers, finance/accounting, sales, marketing, operations) about how they use third parties and their needs when it comes to fulfilling their job requirements. Ask them what issues they would have if the third party was compromised, failed to meet service levels, or failed to deliver at all. This drives buy-in and develops a risk awareness culture across the organization.
3. Understand the diverse categories of vendor relationships and risks posed by each.
   • IT Service Provider
     • Automated (think platforms) or real-person (think help desk and IT assistance) services that typically leverage information technology to aid your internal teams in managing data, completing workloads, and delivering internal services.
     • Risks to consider: data management, SLA on service and breach reporting, privileged access held by third parties, etc.
   • Cloud Service Provider / Colocation or client isolation
     • Data centers that provide some level of service in hosting your technology, from a caged space up to entire platform management.
     • Risks to consider: tenancy isolation, physical security, asset backup/maintenance/restoration capabilities, access controls, etc.
   • Hardware and software vendors
     • Vendors that provide key IT assets like laptops, hard drives, firewalls, wireless access points, printers, cameras, desktop and enterprise software, etc.
     • Risks to consider: Bill of Materials provenance, their own TPRM program, code escrow, open-source or licensing issues, code or system vulnerabilities, etc.
   • Non-IT providers - think pencils, snacks, building maintenance, etc.
     • Enable your employee productivity and general business activities.
     • Risks to consider: theft, loss, incidental viewing of protected data, etc.
4. Classify, document, and customize - Classify and rank your third parties based on the above or classifications of your choosing. Document a list of your third parties in a centralized location. Customize your questionnaires to the classification and risk they may present to your business. Remember that TPRM is more than just vendor risk management; consider the risks introduced when dealing with clients, visitors, external agencies, etc.
5. Contracting - You have done your due diligence and decided to move forward, or it is time for contract renewal. How do you do it right?
   • Involved your legal: They will tell you what your obligations are!
   • Focus on highest-risk mitigation in contracts
     • Ensuring compliance with your security and compliance standards
     • Right-to-audit or right-to-review
     • Service Level Agreements tailored to uptime, response time, incidents, breach notifications, or notifications of changes in their operations
     • Mutual NDAs and/or data sharing agreements (protection of sensitive/critical data)

Conclusion

There is more to the process of TPRM after contract signing and developing a best-in-class program, but you cannot manage cybersecurity risks without knowing what you want to protect. Using the foundation of the five areas above as a start will put your teams on the same page, give direction to future outcomes, and help you communicate what good looks like to your leadership team.