I recently traveled to the TAG Cyber offices in New York to meet with John Masserini. We discussed how third-party risk management is expanding to involve more stakeholders, cover more risk categories, and address more stages of the vendor relationship than ever before. Here are a video and transcript of our conversation.
John Masserini: Good morning. I'm John Masserini, Senior Research Analyst for TAG Cyber. Today’s session is part of TAG Cyber's Executive Exchange. I'm here with Brad Hibbert, the Chief Strategy Officer and Chief Operations Officer for Prevalent. Brad, great to see you again and welcome to TAG.
Brad Hibbert: Thanks, John. Glad to be here.
John: Let's talk a little bit about third-party risk. Over the last several years, we've seen a shift in how third parties are addressed and the risks that occur within enterprises. Originally, we used to worry about access control, trying to get a vulnerability scan done on a third party – or maybe on a good day, we got a SOC 2 report. It’s very different world now, with supply chain issues and extended third-party challenges. Can you tell us a little bit about what you're seeing in the industry and where it's going?
Brad: Over the last few years, we've seen some dynamic changes in the industry. Vendor risk management started years ago focusing on IT vendors and access control – those folks who are accessing, processing or storing data. We've seen a bit of a shift since then. Some of this was driven by recent events with COVID, and business resilience has certainly come up more and more.
We’re also seeing a lot of pressure from boards, consumers and shareholders regarding non-IT related risks associated with ESG, diversity and modern slavery. That's causing organizations to take pause and think about the broader dimensions of risks associated with third parties.
But don't get me wrong, IT security controls are still top of mind. Prevalent recently conducted a third-party risk management research study, and 45% of the respondents still indicated IT controls as their primary concern. But what's interesting is that 40% also indicated that non-IT risks are of concern as well. So, I think people are trying to get a more comprehensive understanding of risk throughout that vendor relationship and implement processes and plans to mitigate that risk.
John: As a previous CSO, I was heavily focused on IT-centric risks and the risks that applications brought into the organization, which by default extended into the third-party realm. Now with ESG, modern slavery, and other non-IT risks, a lot of CSOs are struggling with how that fits into their programs. How are CSOs adapting to that?
Brad: Organizations are getting more sophisticated and considering non-IT risks. They are putting third-party risk programs in place that may start by looking at a certain type of control or risk. Maybe it starts with IT security risk, but how do you get visibility over a more comprehensive risk profile? For example, from a procurement perspective, we're seeing a lot more demand for pre-screening supplier risk, identifying sanctions issues, and understanding reputational risks. Although there might not be a direct compliance impact or requirement, we're seeing a lot of pressure on organizations from consumers and activist shareholders asking them to do better in these areas.
At Prevalent, we looked at who in the organization interacted with vendors at different phases of the lifecycle and which types of risks they each need to address. Then, we built capabilities to help them understand the risks, minimize the challenges, and mitigate concerns throughout the vendor lifecycle.
John: From a security technology perspective, we find ways to rate risks – like vulnerabilities with CVSS. So, you're doing that same kind of thing for non-technology centric risks, right? You can sit in front of a board and say, "Here's the technology side, here's the reputational side, and here’s the ESG side." That's kind of the all-in-one solution you're referring to?
Brad: That's right. We gather the information and give you a comprehensive understanding of risk across different risk dimensions. We do that from a number of different angles.
As you mentioned, there's the outside-in view: We're looking at vulnerability scans, we're looking at business reputational risk, we're looking at financial risk. We're looking at the different sanctions. We're continuously monitoring for risk data and bringing it into our platform. We also have an assessment capability for the inside-out view. Its goal is to understand the third party’s policies and procedures and ask for artifacts or evidence.
We complement that by building up vendor profiles with additional information that we get from global sensors. For instance, vendor demographics, fourth-party relationships, ESG information, etc. And then we package that up into a comprehensive profile that the business can understand.
John: You mentioned the integration of security and procurement – that’s always been a challenge in all the organizations I've worked for; finding that balance between what the security team wants to do and advancing the procurement lifecycle. It's been a big part of the challenge. So, it also sounds like you're opening this to many more people in the organization – not just the security team.
Brad: That's right. Many of the programs start with the security team; 45% of respondents to our 2022 study indicated that's the primary concern. Many organizations are concerned about security because third-party data breaches have accelerated over the last couple of years. In our research, we also showed that about 45% of respondents indicated that they've recently been impacted by a third-party data breach. That might be an impact from an IT vendor or from another type of supplier that experienced a security breach. And that's up from about 21% and 2020. So, we're certainly seeing a real shift in attackers going after the supply chain. That's really driving the awareness.
That tends to be the foundation of the program, understanding the security risk. Traditionally the people using our solutions have been CSOs and security teams. We're now starting to see a bit of a convergence. We're seeing security teams being asked to have a more comprehensive understanding of risk. We're seeing procurement teams – who typically used to deal with quality, delivery, and financial risk – now being asked to understand factors dealing with diversity, modern slavery and ESG. Again, these things are being driven by the shareholders and not just the consumers.
But we're also seeing the supply side, the procurement teams, now asking about IT risks with their non-IT vendors – because they can also be impacted by data breaches that could impact the ability to deliver a service or a product.
From a buyer perspective, 95% of who we were interacting with a few years ago were CSOs. Now, that number is about 75%. The other 25% of our interactions are with procurement, contract management, and others who are coming to the table as third-party risk programs begin to mature and expand over time.
Risk-Based Management of Third-Party Cybersecurity Exposures
This TAG Cyber report shares best practices for strengthening your third-party cyber risk management program.
John: I know that the SEC has recently put a lot of focus on the third-party risk, as well as on fourth-party risk. We often don't look past third-party vendors to the partners that they rely on. For instance, in the telecom world, fourth-party vendors are super critical. I might be buying a device from a trusted source, but who knows where that trusted source got their chips or boards?
Brad: Our SaaS platform focuses on third-party risk management – a unified place to get that comprehensive understanding of risk. We've considered every team that interacts with third parties throughout the vendor relationship – from sourcing and selection, to contracting and onboarding, to due diligence and remediation, to continuous monitoring and validation, to offboarding and terminating the contract. We help them understand the risks involved with each step and who's interacting with the third party at each step. And we provide them with a comprehensive risk profile through a lens that's relevant to them and their job function.
Our platform then consolidates that information, automates the process, and fosters collaboration across teams. The idea is to move beyond the compliance checkbox. Every team can thoughtfully and purposefully think about how they're interacting with a third party to mitigate risks. If they can amplify that information across different teams, then they can meaningfully reduce the overall risk associated with the third party throughout the contract.
In addition, the market's still somewhat immature, so we provide services for customers who need them. We have an experienced services team and service partners that can help with program design, program implementation, and program optimization.
Most people on our team have done this for well over 20 years and have learned some best practices. So, for customers that want somebody else to do the hard work, our managed services team can help. They scale each customer’s program with a high level of quality, and then provide a customer success program to backstop the whole thing.
We can help you understand what your program needs are, start small, show some success, and then grow that over time. Then, as you're growing your third-party risk management program, starting to understand additional dimensions of risk, and incorporating different departments into the program, we make sure you have the support you need for a successful program.
John: Sounds like we're getting rid of a lot of spreadsheets.
Brad: Yes, there are a lot of people out there today that still use spreadsheets for TPRM, and they're hitting a wall. They find that they can't scale, especially as they try to address a broader set of suppliers beyond their core IT vendors – and a broader set of risks than what is covered in an annual security check. Companies need to have a continuous understanding of vendor risk profiles, beyond these point-in-time assessments. So, a lot of organizations are struggling, and companies like ours are around to help him through that.
John: We can't have a conversation about risk and security and not talk about the challenges of the industry around hiring and resources. Any solution that can help us better manage the resources that we have seems like a win.
I'd like to dig in a little bit to moving beyond compliance. Moving beyond the checkbox. That's historically been a problem in security where non-security people say, "We're compliant, so we're secure." In the third-party risk world, how do we manage that? Moving from, "We've passed a compliance checkbox," to actually resolving the issues with our third-party partners?
Brad: That's a great point. As you mentioned, a lot of people get a yearly vendor assessment that may indicate some level of risk. They then file that away and say, "I've done my assessment," and move on. Our platform leverages automation and intelligence to understand risks as assessment responses come back and as risk events happen. We convert those responses and events into quantified risks with business context.
We also provide prescriptive guidance to customers about what they should do to remediate the risks and what they should ask their vendors. So, you have the prescription for how to remediate the risk. Then there's the next step, which is actually doing the remediation. And companies that don't have the time to interact their vendors about remediation can always augment their teams with managed services.
A lot of people spend a lot of their time gathering the data, getting vendors to respond, and collecting the data. If that can all be automated for you, then you can spend more of your time on the hard stuff on the back end, which is doing the remediation. So, try to automate, try to outsource, try to do whatever you need to do to simplify that front-end experience, so you can focus more time on performing the remediations.
Shared vendor intelligence networks or shared exchanges are handy, as well. They handle a lot of the data collection and collate risk information up front, so your team can spend more time on the remediation side. We've found networks to be very successful in certain verticals, particularly where you have a third-party concentration. For example, Prevalent manages shared networks in legal and in healthcare. When we get a healthcare provider or legal provider as a customer, chances are we have a lot of relevant information already in our database, so they can focus on remediation.
John: Out of curiosity, are there more exchanges coming up? You mentioned legal and healthcare. I can imagine financial services would be a prime target.
Brad: We have a general, cross-industry exchange, as well, and we continue to work with different industry groups. A lot depends on the maturity of the market. The verticals have to decide which standardized assessment content and best practices are right for them. We are working on a few new exchanges – financial services, the auto sector, the retail sector, etc. When the market is ready, we're going to be there to help them.
John: Any closing thoughts that you would like to share?
Brad: I guess just some tidbits of wisdom that we've learned over the years. Organizations looking to take on third-party risk management should know that there are solutions and people out there to help. They should think about what they want to get out their programs over long term, but they can start small and plan to grow. It's important to have a good foundation in place.
People should move beyond the compliance checkbox and think about mitigating risks. You and I have a lot of experience in vulnerability and access management, and third-party risk management is similar. It's all about reducing the attack surface. Organizations need to be thoughtful about trying to move beyond the point-in-time compliance to reducing risk on a continual basis. They’ve got to continuously understand what their third-party risk profile looks like and how it's changing over time.
Solutions like those offered by Prevalent and our partners can help organizations through the learning cycle, get them up and running, and deliver the efficiencies and quality they're looking for.
John: Sounds like an outstanding solution. Thank you very much for coming out today.
Brad: Thanks, John. It's been great!