Emerging Tech in Third-party Risk Management

As part of our vendor risk Q&A series, we spoke with Matthew Ancelin, principal solutions architect at SecurityScorecard. We chatted with Matthew about his perspective on emerging tech in third-party risk management, how organizations can utilize different technologies to bring everything together, risk maturity and how you can fit that into your organization, and how new technologies are coming onto the scene to help improve organizations’ risk programs.

If you’re interested in learning more about the basics of third-party risk management, read part 1 of our Q&A with Matthew.

“When I think about vendor risk managers, the relationship is basically chasing the vendor down to get them to answer questions, which most of the time they don’t even have the answers to.”

How has third-party vendor risk changed, and where do you see it going?

Third-party vendor risk isn’t a new concept; it’s just evolved. It used to be a simple questionnaire that was sent to a third-party asking about their security program. But now, new tools have emerged on the market, including data-driven tools such as security scorecards that help verify the security posture and hygiene of the third party. Now, you can also get continuous visibility into their security practices and be able to make some decisions there as well.

So that’s the next evolution in the maturity of a third-party risk management program. Other forms of technologies are now starting to emerge that contribute to the full risk picture, including vendor detection, attack surface intelligence, and cyber risk quantification. Automating and integrating these advanced risk capabilities have recently become a focus of security programs.

Let’s dive into emerging tech examples. What is automatic vendor detection?

It might be safe to assume that any given company knows who its vendors are. Most of the time, that’s true, but in many cases, we’ve seen organizations think they know who all their vendors are and may come to find out that there are vendors that have bypassed the process. Alternatively, there may be some companies just starting in this vendor risk management journey, and they find it difficult even to determine who their vendors are because the data lives in multiple places across the company or it wasn’t recorded properly.

You might have a sense of your third-party vendors, meaning the vendors with whom your organization directly interacts. Still, we’ve found that most organizations don’t have a handle on the fourth-party or even fifth-party vendors—the vendors that work with their vendors. It becomes a tangled, confusing web that’s impossible to track manually.

So, what we’ve come up with at SecurityScorecard is a capability that allows us to detect a company’s vendors automatically and illuminate those. If I can pick up on who your third parties are, I can take that list of third parties and track down who their third parties are, which becomes your fourth parties, and so on.

We gather all this data and package it so you can then find things of interest among those third, fourth, and 10th parties. Because once the data comes into our platform, we start by running it through many of the same types of searches you could run your list of vendors through. For example, you can see any vendors that show vulnerability to Log4j right now or ones with threat actor connections.

It’s very common to see the big names at the top of the list when we’re looking at third, fourth, and fifth parties—because most organizations use them. I’m not concerned with those companies. I pay attention to the ones that aren’t obvious to the average person. Additionally, each industry will also have specific, not-so-obvious fourth parties. These are the organizations that you’ll want to engage with directly or influence your third parties to engage with them so they can improve themselves to a safe spot—and ultimately, you and your company as well.

And together with Onspring, SecurityScorecard produces results that highlight vulnerabilities or companies that are at risk of, say, exposed databases, ransomware-related issues, exposed industrial control systems, etc.

But what’s important for companies to understand is which of their vendors are critical because if one of them goes down, your organization will likely suffer. If half of your critical vendors are impacted at the same time, you can see how that could be a catastrophic risk. That’s why folks look at fourth-party and fifth-party risk. It’s the thing that you can’t see that might kill you, which is exactly what we look for when we do this analysis.

Can you give us an example of when this automatic vendor data from emerging tech is crucial to a company?

When the Log4j vulnerability hit, security managers quickly looked at their internal systems to make sure they weren’t vulnerable and that they were patched properly. But then they turned to the vendor managers to determine if their supply chain was at risk.

Often the way to do this is through a quick questionnaire asking vendors if they run servers that are vulnerable to Log4j, and if so, have they fixed them. However, blasting your entire supply chain with a questionnaire during a zero-day breach is ineffective because everyone else is doing the same thing at the exact same time. So, everybody who’s considered a vendor is getting three or four or even hundreds of these questionnaires, and they’re bogged down by it. In this case, there’s no guarantee that you’ll get an answer from your vendors, and even if you do, you won’t get it in time, so it becomes useless.

But by implementing automatic vendor detection, your risk management team can see beyond your third-party into all those other layers and have a better understanding of each layer’s risk and each vendor’s risk. And Onspring makes it easy by housing this data in its platform, so you can easily sort your lists by vendors susceptible to the Log4j risk instead of blasting out thousands of questionnaires. You’ll have a much smaller list that you can attack during a zero-day event, giving you a better chance of preventing that breach from affecting your organization.

What is cyber risk quantification in emerging tech?

In the cybersecurity space, this concept of converting risk to dollars is fairly new and very complex. There’s something called the FAIR model, and it can turn cybersecurity risks into dollar amounts of risk.

It does require a lot of effort because you’ve got lots of information to gather from various elements of your business, including each department’s subjectivity to risk, but you end up with this one-time view of what it would cost your company if various cyber events occurred.

Nowadays, there are advanced datasets we can use to leverage the actuarial data from threat connect, which stores actual dollar losses for historical breaches in a very categorical way so that it can be searched and pivoted against. We end up combining their data with our security posture data to get a monetized result across different attack types and attack vectors. It also gives a breakdown of where that expense would lie by providing a NAICS code, so you can compare your data to what companies like yours experienced in actual data loss by way of actual breach events.

In going through the exercise, you’ll also need to answer questions such as,

• How much cyber insurance should I carry?
• How many Payment Card Industry Data Security Standard (DSS) records do I hold?
• How many Personal Identifiable Information records?

Once all the information is acquired, the model will give you a financial analysis of yourself or one of your vendors instantaneously. Of course, it also offers suggestions on how you might be able to remediate some of these problems, whether it’s in your own environment or with one of your third parties, which reduces risk in a measurable, monetary way.

But if you can present yourself as a value-add to that vendor by sharing with them the critical security information you have, both parties will become more secure. They will ultimately stop you from having to question your relationship with that vendor.

What about attack surface intelligence as emerging tech?

Attack surface intelligence is essentially one large security audit of all your associations—both internal and external—and all the tools used in your technology stack to determine the risk threat.

SecurityScorecard provides security ratings for each of the vendors it assesses. Our technology crawls the entire internet looking for various signals and attributions that can be mapped back to the IPs of the various vendors. Attack surface intelligence allows us to go one level further by understanding the association of each signal and attribution. For example, if we see that one of the vendors is vulnerable on this particular IP, we can also map how many other companies are using that IP and alert them of the associated risk. We can literally tell which companies are of concern to your company and your supply chain, your vendor and their supply chain, and so on. We allow companies to share threat intelligence with every party they’re associated with and can make threat actor connections with this information.

Any closing thoughts for our readers?

Datasets from emerging tech are being integrated with platforms like Onspring, which leverages SecurityScorecard to give vendor risk managers, CISOs, etc., a view from different angles. Hence, they have the best chance of protecting their companies from cyber-attacks. By leveraging machine learning and AI, risk management programs can run much more efficiently across many vendors.

This kind of connected automation is the next step I see in risk management. Companies like Onspring are working to make processes like these fully automated from start to finish.

I do like to warn you that though there are many upsides to machine learning and AI (time and labor cost savings, elimination of manual work, and prevention of data errors), one downside is that you lose the human element of your vendor relationships. I like to remind people that human interaction and relationships are as important to your business as cost savings and keeping accurate data, for instance.

If you’re looking for ways to bolster your third-party vendor risk management program, Onspring’s comprehensive GRC Suite helps you manage compliance frameworks, automate data management, and continuously track and monitor risk, to name a few. With Onspring, businesses of all sizes and in all industries can make managing risk simpler and more efficient. No matter the stage of your risk management maturity, feel free reach out to us at hello@onspring.com.