RiskRecon GUEST POST: The Biggest Hurdle in Progressing TPRM Maturity
As security organizations try to progress and perfect their practices around third-party risk management (TPRM), most follow a predictable path toward maturity. It typically starts with a proverbial tap on the CSO or security leader's shoulder from the CIO or compliance department asking them to get a TPRM program kicked off. From there, one or two people are usually tasked with some kind of discovery process to understand who the vendors are within an organization and to figure out how to prioritize them so the organization can start devising an early assessment methodology for the highest risk vendors first.
Usually, these earliest stages rely almost solely on the ubiquitous security questionnaire for assessment, maybe with some more rigorous on-site assessments for the highest risk relationships. As things progress and the program matures, many organizations will start to broaden the scope of who is assessed, the length and detail of their questionnaire, and the contractual requirements imposed on vendors. But it often becomes quickly apparent through this process how limited self-assessment questionnaires are in giving the organization a view on third-party risk. Not only must organizations rely on the integrity of the answers from vendors, but programs are run on a shoestring and these self-assessments are typically done only once or a handful of times each year, so they're simply a loose snapshot of risk at a single point in time.
That's when most organizations start looking at leveraging TPRM continuous monitoring tools. Tools like the ones RiskRecon provide a path to validate the answers of a security questionnaire in a continuous fashion, to more appropriately group vendors based on risk, to adjust how, when, and what the questionnaires ask of individual vendors based on monitoring alerts.
Simply deploying the monitoring solution doesn't magically transform a TPRM program for an organization. It takes careful strategy and execution to get the most out of third-party risk monitoring to up-level a TPRM program's maturity. And as many organizations endeavor to do that they often run into one of the biggest hurdles in progressing TPRM maturity.
Often organizations will progress quickly from having no TPRM program to standing one up with questionnaires to utilizing continuous monitoring, only to get stuck when they try to scale up the integration of monitoring with self-attestation results.
Some obvious information crossovers are fairly easy to match up. For example, patching status can be a clear-cut crossover where continuous monitoring of external internet assets can show how accurate self-attestation is by vendors. If a vendor says they're doing a good job with patching their servers, and continuous monitoring shows several assets are behind in their versions, that's a good clue that the organization needs to look more closely at all of the vendor's questionnaire results.
However, doing that kind of comparison across a large portfolio of vendors proves very onerous to scrappy TPRM teams who only have so much time in the day. The biggest hurdle here has been in the information gap and silos that exist between questionnaire results and monitoring feeds. Not only do organizations struggle with navigating different dashboards and platforms to marry up questionnaire results and artifacts with monitoring alerts, but often the information is different in complexion. Self-attestation tends to be a more inside-out look into risk at a third-party, while monitoring provides an outside-in view.
This is a problem that a lot of smart people in our industry are working on, both at the practitioner level and the technology vendor level. The faster we can solve it, the more easily practitioners can get to a nirvana where they've got a deep understanding of the controls effectiveness of hundreds of third-parties that can help everyone take more preventative actions to reduce risk.
As a part of this industry-wide effort, one of RiskRecon's valued partners, Privva, has been working on ways to integrate RiskRecon results directly into its third-party risk management platform to help firms bridge the gap between questionnaire and monitoring. I recently ran a great, interactive webinar with Privva's CEO, Ishan Girdhar, that discussed this common hurdle of TPRM at length. We discussed why organizations need to bridge this gap and asked some practitioners and consultants in the audience to add their insights into how they're tackling the problem. Check it out to hear more, and to get a look at how Privva's platform is giving organizations a better way to get started mapping continuous monitoring to security questionnaires: Bridging the Gap Between Continuous Monitoring Data and Security Questionnaires.