Sophisticated breaches like SUNBURST (aka the SolarWinds hack that made headlines in late 2020) make the risk associated with third-party platforms abundantly clear. Modern organizations are increasingly depending on a variety of third parties for SaaS — everything from finance to supply chain to IT service management (ITSM).
From an operations perspective, this is great. Organizations focus less on "keeping the lights on" and more on their core value propositions. However, there's also an uncomfortable security tradeoff. If you don't control the platform, you don't completely control your — or your customer's — data, which has security and compliance implications. Similarly, the availability of critical business functions often depends on multiple external platforms, many of which can be a single point of failure.
For many organizations, simply navigating the complex dependencies and clearly defining risk appetites and mitigations are real challenges. Third-party governance and risk management (TPGRM) aims to solve this problem by analyzing and performing due diligence on risks stemming from third-party relationships.
While there are plenty of TPGRM/TPRM tools, effective risk management takes more than just tech. Deloitte's three-step process for TPGRM provides a realistic breakdown of the transformation required to leverage a TPGRM framework. To summarize the steps:
- Change risk and governance positioning: This step deals with the reframing of risk in an organization. Traditionally, risk has been something we eliminate. It needs to become something we manage.
- Understand risk appetite and lines of defense: The next step is broken into quantifying an organization's risk appetite in different contexts and identifying lines of defense against those risks.
- Establish a TPGRM framework: This is where the rubber hits the road. Organizations must implement strategies that leverage people, processes, and tech to help manage risk and deliver value.
Clearly, a large part of TPGRM will require qualitative input from humans, such as developing strategies or conducting detailed audits. That said, we can expect a shift toward more automation thanks to drivers like cyber insurance that are actively developing standards and measurable ways to quantify risk with analytics platforms like CyberCube.
Quantifying TPGRM Metrics
With that in mind, I expect to see the use of security portals and dashboards that quantify TPGRM metrics spike in the coming years. These portals will do for risk management what uptime monitoring platforms like Uptime Robot and Pingdom do for website monitoring: roll up the most important metrics in an easily digestible way. Like the website monitoring world, we'll see a varying level of sophistication and depth across solutions, but a standard baseline of "table stakes" metrics will emerge.
We're already seeing platforms like SafeBase make substantial progress here by automating security questionnaires and enabling vendors to share security posture across multiple categories. Risk management company Prevalent is solving similar problems with a focus on providing both IT solutions and services.
Additionally, solutions with a narrower focus are already leveraging automation to solve TPGRM problems in specific industries. For example, SignalX is addressing the problem space of financial and legal analysis in India to enable organizations to perform better due diligence before entering contracts or partnerships with vendors.
Fundamentally, these solutions demonstrate the broader trend toward standardization and automation in the TPGRM space. Tools alone aren't going to solve third-party risk management, but there is an emerging need for automated visibility into third-party risk, and that's where TPGRM tech can make a real impact.
In the years to come, I expect the winners in the space to be the tools that provide visibility into the "headline" TPGRM metrics required for cyber insurance and compliance for organizations with relatively immature TPGRM framework implementations, as well as those that can "go deep" and provide detailed analysis using AI/ML for enterprises.
Read part 1, which asks: What will replace EDR.