Is it time to admit that we're not actually "managing" third party cyber risk?

(To be read while listening to Kate Bush's "Running Up That Hill" )

One of the areas that I have the privilege of covering for Gartner is third party cyber risk management. It’s a hot topic that’s getting hotter by the day, as companies and governments become increasingly dependent on large and complex digital ecosystems, and, as the number of and impact from third party cyber incidents grows.??

The more CISOs I talk to, the more clearly I see the massive gap between enterprises’ stated importance around third party cyber risk management and enterprises’ investment in actually managing it. It’s a gap that is crushing cybersecurity teams around the world.??

Here’s a quick way to examine your enterprise’s importance/investment gap in re TPCRM.? Estimate your enterprise’s performance on two metrics (if these look familiar, they should–they’re from The Gartner Cybersecurity Business Value Benchmark created by my good friend and colleague Paul Proctor ):

How’d you come out???

If you’re anything like your peers, you came out with percentages higher than you’re comfortable with (smaller percentages on these metrics are better!).? And, if we’re honest, the actual percentage is probably higher than your calculation, because there is at least 1 critical/high risk third party in your ecosystem that somebody forgot to tell you about.??

Well, I’m sure you don’t have the problem of unaccounted-for critical third parties…but you have a friend who does, right???

So…is it time to admit that we’re not actually “managing” 3rd party cyber risk?

Industry performance on these metrics is one among many signals that cause me to question whether it’s appropriate for us in cybersecurity to use the word “management” when we talk about third party cyber risk.??

After all, to the first metric above, it’s damnably hard to manage the cyber risks presented by a third party when we don’t know where a third party’s potential cyber-shortcomings are.?

…and, to the second metric, it’s absolutely soul-crushing to have done our job–we assessed the third party and shared any shortcomings with the appropriate leaders internally …but we didn’t manage to convince whoever brought that vendor onboard to manage or to resource us to manage those shortcomings.

<takes a deep breath>

Now, the most frequent response to this exercise, when I conduct it with a client, is righteous indignation.? And, to a degree, that indignation is fair.? No cybersecurity function is staffed or funded to provide anything approaching true management of an enterprise’s critical/high risk third party ecosystem.

But your C-suite and Board don’t know this. They don’t know that their cybersecurity investment only covers X% of needed assessment and Y% of needed remediation.? If I wanted to stir the pot, I’d suggest you share THESE data points the next time you get asked ‘what are our biggest risks?’!

Worried about blowback from raising uncomfortable data?? There’s nothing like a bit of regulatory/legal intensity to help give your team the courage of its convictions… My hunch is that membership in the “I’m just going to leave these data right here for the Board to ponder…” club is about to explode, given that failing to at least make known unknowns and unmanaged knowns TRANSPARENT to your Corporate Officers could, these days, be grounds for a Wells notice based on negligence.? On a regulatory guidance note, here’s a shameless plug for my employer and colleagues: Gartner clients can get some phenomenal support via New SEC Cybersecurity Rules: What CISOs Should and Shouldn't Do .? (Caesars Entertainment’s 8-K disclosure last week indicates that their recent cyber attack originated with a third party compromise. My heart and best wishes go out to the teams working to remediate and recover from that event.)??

Why else is it so important to make the importance/investment gap transparent to your execs and officers? Besides avoiding the above-mentioned? regulatory banhammer???

Because without it, CISOs and their teams are doomed to attempting to close the management gap with adrenaline and bubble gum/bailing wire…

…with the inevitable result that the cybersecurity function is accountable for third party cyber risk management despite there being little evidence that anything approximating management of those risks–certainly not management at scale–is going on.?

Accountability without authority is never healthy, (check out my colleague Leigh McMullen ’s commentary in CISOs-Don't Take the Little a Without the Big A ), and it’s particularly dangerous in this space, given the frequency with which critical third parties go cyber pear-shaped (and isn’t it funny how, no matter what the BIA says...the rate at which non-critical third parties become critical after they’ve gone pear-shaped?).??

Maximum effort isn’t paying off…maybe we should try a Minimum Effective approach.

So, having admired the heck out of the problem… what do we do?? Take Kate Bush’s advice and keep running up that hill?? Resign ourselves to being Sisyphus? (At Gartner’s recent Washington DC Security & Risk Management Summit, a CISO described himself as CISOphus, which is actually pretty funny, if you’re into wear-your-hairshirt humor)??

Yes, cybersecurity should have an accountable role in third party risk management.? But my view, based on the data I’ve seen and the clients I’ve advised around the world, is that the level and scope of accountability should be far smaller than the accountability which the enterprise currently attributes to the cybersecurity function.??

Words matter, and calling what we do “management” is not merely an overstatement, it perpetuates, dangerously, the belief from our business and mission colleagues that the CISO has things in-hand.? That’s a recipe for ending up on the wrong size of moral hazard, friends.? And, I love a good moral hazard as much as the next person, but, if we can snuff this particular one out by limiting our role to providing TRANSPARENCY, I think we should consider it.??

If you replaced “management” with “transparency,” i.e. the CISO owns the Third Party Cyber Risk Transparency Program,” what would that free you and your team do differently?

More importantly, what would re-scoping our role to “transparency only” force the folks bringing those risks into the enterprise to do differently???

Please leave your thoughts in the comments!? All are welcome!????

###

Disclaimer: This post should not be construed as legal or investment advice and is not a consensus position of Gartner analysts.? I’m using forums like Linkedin to test ideas and move research forward. Because the ideas shared above did not undergo Gartner’s standard editorial review, all comments or opinions expressed here are mine and do not represent the views of Gartner, Inc. or its management.??

My thinking was heavily influenced by Christine Lee , Andrew Walls , Deepti Gopal , Charlie Winckless ,? Patrick Hevesi and Leigh McMullen of the Mad Scientists of Cyber Security cohort within Gartner. If these folks aren’t among your contacts or follows, I humbly recommend you make them so!? We will be publishing actionable advice on this topic on Gartner.com shortly.

If you’ve ever wondered “what exactly is moral hazard” and don’t want to have to read a dry academic text in order to grok it in fullness, I highly recommend John Fishback ’s TEDX talk: What Economists Call A Moral Hazard .? Be warned…once you start learning from John, you may be unable to stop.? That has been my experience.?