How to Select the Right Third-Party Risk Metrics to Report to the Board

Security teams often must crunch a massive amount of data to report a few meaningful metrics to leaders. Solving systemic problems in third-party risk management programs can simplify the process.
Bryan Littlefair
CEO of Cambridge Cyber Advisers
April 07, 2021
Blog risk metrics board 0421

Having been a CISO for large multi-national corporations for over 20 years, I have created, run and evolved third-party risk management programs for some very complex organizations. That experience taught me a lot, including what worked and what did not. Now, as CEO of Cambridge Cyber Advisers, I sit on the other side of the board table working alongside the Board Chair to support the CISO in achieving the maximum possible risk reduction across the full security spectrum.

In my role as a board advisor, I often observe complex metrics and data being reported up to management from the security team. All too often, much of the intended message and desired outcomes are lost in translation as the security team has to massage the data for non-security audiences. To accomplish this, the security team creates their own set of meaningful metrics.

In this post I will define meaningful metrics, discuss the challenges I see with determining the right metrics to report to the board, and describe a mature approach to third-party risk metric reporting.

What Are Meaningful Metrics and How Do They Apply to Third-Party Risk Management?

Security reporting should be clear and concise, and in no other area is this more critical than in third-party assurance. Third-party assurance is one of the most challenging risk areas to quantify and manage from a CISO’s perspective due to three factors:

  1. the large size of third-party ecosystems
  2. the constant level of change among suppliers
  3. the resourcing challenges that come with simultaneously managing thousands of vendors

Meaningful metrics, therefore, are needed to clearly articulate a consolidated set of key performance indicators (KPIs) and key risk indicators (KRIs) to executives or board members. These metrics reduce the need to analyze large, complex security dashboards by distilling the real security implications behind the numbers.

An example of a meaningful metric is Mean Time to Detect (MTTD). This metric shows the board how effective you are in detecting issues within the supply chain; how leading and lagging KPIs/KRIs are performing; and includes information from technical, process and cultural aspects. The extra details are always available if required, but it is important to present a consolidated and meaningful metric in the first place.

On-Demand Webinar: Distilling Useful Metrics from Third-Party Risk Data

Join Bryan Littlefair, CEO of Cambridge Cyber Advisers, to learn how to implement meaningful metrics for more efficient third-party risk analysis.

Why Third-Party Risk Management Reporting Is Such as Challenge

Third-party risk management reporting challenges can be simplified into three categories: approach, resources and tooling. For example, if the security team lacks the right strategy for third-party assurance, then articulating how the function will manage risk across the supplier base is purely tactical. Instead, the team needs to balance the resources required to manage risks to an acceptable level against the maturity of the process. After all, an immature approach will need more resources (e.g., budget, people, time, etc.) to run. That’s why tooling is essential to embracing innovation and moving away from using spreadsheets to manage your supplier risk.

3 Steps to a Mature Third-Party Risk Management Approach

A mature approach to delivering third-party assurance and meaningful metrics looks like the following:

  1. Spend time with business stakeholders to ensure that you have clarity into expected business requirements and outcomes.
  2. Develop an internal program that not only encompasses tactical business requirements, but also takes a strategic approach to managing supplier risk.
  3. Ensure optimal and effective processes by utilizing tools specifically developed for third-party assurance. The right tools will enable a near real time view of your supplier risk, rather than leaving you to rely solely on annual assessments.

These are practical improvements that any security team can embrace to improve the maturity of their third-party assurance process and articulate meaningful risk metrics to the business.

For more, check out the on-demand version of my webinar, Distilling Useful Metrics From the Pile of Third-Party Risk Data. Or, contact Prevalent today to learn how about their third-party risk management solutions.

Bryan littlefair
Bryan Littlefair
CEO of Cambridge Cyber Advisers

Bryan Littlefair is CEO of Cambridge Cyber Advisers and a guest blogger and webinar host for Prevalent, Inc. His prior experience includes global CISO roles at Vodafone Group and Aviva. Cambridge Cyber Advisers are a specialist cyber consulting and advisory firm. They provide a bespoke set of services based on their experience of managing security and technology for some of the worlds largest and most valuable brands.

  • Ready for a demo?
  • Schedule a free personalized solution demonstration to see if Prevalent is a fit for you.
  • Request a Demo