Below is an excerpt from ISS-Corporate’s recently released paper “Discerning Cyber Risk: A Scores-Forward Approach to Third-Party Cyber Risk Management”. The full paper is available for download from ISS-Corporate’s resources page.
Introduction
With fully 30% of reported cyber incidents involving a company’s vendors or other business partners, the management of third-party risks (TPRM) is a critical component of a holistic cybersecurity strategy. Traditional TPRM programs rely heavily on questionnaire-based assessments, which suffer from inherent biases, a lack of objectivity, and a significant administrative burden.
With increasing frequency, vendors and prospective vendors are balking at the time and effort required to answer dozens or hundreds of questions and are consequently responding with incomplete, superficial or vague information that can compromise the inquiring company’s understanding of its third-party cyber risk posture.
In this paper, we look at how the strategic use of an empirical cyber risk scoring system, providing a data-driven assessment distilled to a decision-ready metric – such as the ISS Cyber Risk Score – can reduce the need for questionnaire-driven inputs and increase the objectivity and currency of critical cyber risk insights. We will also discuss the benefits of objective, continuously updated risk intelligence for establishing a strategically-informed TPRM program and how that program can help organizations reduce risk, increase efficiency, and better manage cyber liability exposure.
Key Takeaways
- Questionnaire-based third-party risk management information gathering is inefficient for companies and their vendors, suppliers, and other business partners.
- Self-reported information suffers from a lack of objectivity and is seldom verifiable. Self-reported adherence to standards and protocols similarly lacks the veracity sought by third-party risk managers.
- A scores-forward approach – leveraging risk scoring methods that distill empirical risk data into decision-ready metrics – can reduce the workload for organizations on either side of the data exchange and reduce the burden created by high-effort, time-consuming and subjective feedback.
- Scores based on methods that are statistically derived and demonstrably sound increase confidence in TPRM efficacy, provide useful metadata for further analysis, and may also be leveraged for liability management in the event of a cyber incident.
By:
Douglas Clare, Managing Director, Cyber Strategy, ISS-Corporate
Michael Heineman, Vice President, Cyber Advisory, ISS-Corporate
