Giving Vendor Risk Management (VRM) a FAIR Shake: NCSF 1.1

Last week, NIST announced the 1.1 release of the NIST Cyber Security Framework (NCSF). For those who follow my posts, I have written about NCSF quite a bit as an efficient, flexible, yet still pragmatic model for cyber risk management. There are many updates to NCSF of note in the 1.1 release, but two that jump out for me are the additional guidance on Supply Chain Risk Management (SCRM) and the increasing references to quantitative analysis. As discussed below, this puts Vendor Risk Management (VRM) in NIST’s crosshairs.

Managing supply chain risk is a rapidly evolving field: Gartner tends to lump this risk into IT Vendor Risk Management (VRM), and Forrester includes this as part of its Supplier Risk and Performance Management (SRPM) space. For this post, I am focusing on applying NIST CSF to reducing cyber risk in the supply chain. Therefore, Gartner’s VRM definition is more applicable.

The VRM space is growing fast. For example, MarketsandMarkets projects global vendor risk management market growth from USD 2.97B in 2016 to 6.5B by 2022. Some of the better-known companies in this space are BitSight, MetricStream, RSA Archer, and Security Scorecard. VRM is a hot market segment, yet, I find the VRM providers are still working with qualitative cyber risk assessments (high, medium, low, red, orange, green, A-F, etc.).

Enter OpenFAIR. One of the other changes to NIST NCSF is a specific reference to quantitative analysis for risk assessment. I wrote about quantitative risk analysis when I wrote a series on OpenFAIR. Factor Analysis of Information Risk (FAIR) is a standardized way to both qualify and quantify risk. As I wrote in my posts, OpenFAIR defines risk as the probable frequency and probable magnitude of future loss. That is it! No A’s, B’s or C’s about it!

A few things to note about this definition:

• Risk is a probability rather than an ordinal (high, medium, low, A-F) function, moving us away from the alphabet and stop light rating systems
• Frequency implies measurable events within a given timeframe taking risk from the unquantifiable (our risk of a breach is 99%) to the actionable (our risk of a breach is 20% in the next year)
• Probable magnitude takes into account the level of loss. It is one thing to say our risk of a breach is 20% in the next year. It is another thing to say our breach risk is 20% in the next year resulting in a probable loss of $100M
• One of OpenFAIR’s most potent aspects is it is future-focused. With OpenFAIR we can project future losses, opening the door to quantifying the impact of investments to offset these future losses

This is the next step for VRM vendors, especially since the NCSF adoption is on the rise. The first vendor heading in this direction is RSA with its private labeling of RiskLens’ Cyber Risk Quantification Application as RSA Archer Cyber Risk Quantification. Security Scorecard is also making great strides with its recently announced Breach Insights.

By including OpenFAIR in the calculus of risk, the conversation shifts from the likelihood of a breach to the likelihood of a loss. More importantly, telling a CISO that his/her risk of a breach is 5x higher than a peer organization due to their VRM score is alarming. Telling them that their annualized loss expectancy (ALE) due to a breach is $15M versus a peer organization having an ALE of $3M, is actionable.

As a next step, I would like to see three specific things happen:

1. NIST gets more definitive on quantitative risk analysis and calls out OpenFAIR
2. Gartner updates its definition of VRM to include quantitative assessment
3. All VRM vendors adopt and support OpenFAIR