Risk Score Your Third-Parties Wisely!

If you are a corporate third-party risk practitioner, chances are you’re reading this blog in an airport, waiting for your next flight. After all, ‘tis the season for third party conferences, summits, and industry forums. Like you, I’ve been living out of my suitcase this past month, as both an attendee and presenter at various venues, listening and learning. Throughout all the talks, one central theme has emerged around the topic of risk scoring, with a perception that open source reports and dashboards are an adequate means of delivering an accurate assessment to reduce an organization’s risk landscape when handling or processing data. But wait…

Perception is not reality

Yes, I’m stressing the word ‘perception’, because taking a snapshot of risk, whether it be cyberthreat intelligence or business intelligence, is just that - a snapshot. Surely color, number, and alpha categorizations that today’s risk scoring companies provide pique my interest, but if not used appropriately, will most certainly lead to a false sense of security. For organizations’ using the information appropriately, I give huge kudos. However, for those that are placing all their eggs in one basket and relying heavily on the score to provide the necessary due diligence, I plead for you to take caution.

Don’t get me wrong, open source risk scoring is a measure to inform organizations of actions that need to be taken. Examples include:

• Helping to prioritize third-party due diligence
• Determining request for proposal or information selection
• Establishing areas of security practice improvement
• Identifying information that is accessible to the advisories

Let us not forget in some mature third-party programs, it can also inform you of a real time event that requires immediate incident/crisis management. But looking at how you are implementing the scoring tools and determining the thresholds of what is acceptable to your risk appetite and your programs is of critical importance. For those looking to use risk ranking tools for the first time, an evolutionary approach to the way you absorb and use the information to apply the content in a responsible manner can control how to reduce risk and will set your third-party management program apart from the rest. For example, mature security practices are using the scoring reports from open source feeds to create a partnership with their third-parties in a way that helps the third-parties improve their security posture with a newly found awareness. At the same time, it’s concerning when the scoring reports are positioned in a manner that ultimately results in a decision to rule out the third-party based on a misinterpreted report.

Open source risk scoring is only one piece to the puzzle

Risk scoring is multi-faceted. Open source risk scoring is just one indicator that must be coupled with the following four risk identifiers:

• Completed security questionnaires (trusted information)
• Onsite assessment reports (validation information)
• Accepted risk remediation plans (acceptance information)
• Real time events and incidents (real time information)

Using a segmented scoring technique is the preferred way to obtain a holistic third-party security picture. Your third-party relationship is dependent on scoring of all risk identifiers. So, remember, a fundamental part of continuous risk scoring is provided by open source reports, yet don’t forget the risk identifiers that reflect the full picture of your third-party risk.

Learn more about Prevalent’s comprehensive approach to Third-Party Risk Management.

Brenda Ferraro is a Senior Director at Prevalent, Inc. She is a sought after Third Party Risk Practitioner that has received recognition from Regulators, Information Security and Analysis Centers (ISACs) and Standardized Third Party Framework organizations. She brings surmounted attention to Third Party Risk by providing her metrics, reporting, and process mastery experience to lead corporations to a single solution ecosystem that breaks through the complexities of Third Party Risk Governance.