Let's Kill TPRM
April 10, 2024
3:10 - 4:00 PM
Laveen
First Principles thinking - that's what Third Party Risk programs are missing. An industry that started 10 years ago by doing outside-in scans - has not changed a bit.
You ask any CISO - "Do you truly understand your third party risk?" Most will answer no. They lack confidence.
You ask any TPRM practitioner - "How is your program working?" You will hear 'exhausting', 'no one cares', 'I am just a process guy', 'I am just chasing everyone' as responses.
How have we reached here?
Because we are applying a 10 year old technology and 'compliance' thinking to solve a highly dynamic problem. We are fighting a war with pencils (not even knives). We are relying on outside-in scans (more noise than signals), and questionnaires (static, manual) to get a picture of security posture. It doesn't work.
How can we solve it?
Let's get back to the drawing board.
Apply first principles thinking. If you have to re-imagine TPRM today, how will you do it?
We recommend five ways to re-think TPRM:
1. Find a scientific way to understand which third parties matter - you can't focus on 5000 third parties, you can focus on 50. How can you do that? Understand your data, network and revenue exposure to a third party, quantify it.
2. Realize that your third parties are YOUR attack surface. Apply Zero Trust Principles to TPRM. How are you managing data access, network access and revenue dependency towards your third parties? In a bad neighborhood, you protect your house first, and then try to fix the neighborhood.
3. For your most critical third parties, ask for inside-out real time telemetry from their environment. You can do it in a non-intrusive way. This real time telemetry will help you to truly understand the risk posture of your third parties in different risk scenarios.
4. Run Active Risk Management - not passive Risk Management. Fix your own controls first. Work with your vendors to mutually improve controls.
5. Automate, automate, automate. Apply LLMs to automate questionnaires. There are many ways to reduce redundant and manual work in the TPRM process.
Re-think TPRM, or just kill it. It is not working today.
Vince Dasta | Senior Partner - Risk Strategy | Safe Security
With over 15 years of experience in Cyber Risk Management and Compliance, Vince Dasta is a dynamic executive and subject matter expert in developing and implementing Cyber Risk Quantification solutions. He has a proven track record of success in leading go-to-market strategies for complex cyber risk products.
Currently, Vince is a Senior Partner - Risk Strategy at Safe Security, a leader in Cybersecurity and Digital Business Risk Quantification (CRQ). In this role, he is a trusted advisor to customers, enabling senior executives and stakeholders to address complex cyber risk challenges. Leveraging Safe Security's ML Enabled API-First SAFE Platform, Vince works with Fortune 500 companies to measure, mitigate, and make informed decisions about their enterprise-wide cyber risk in real-time using FAIR, the de facto standard in CRQ. His role is crucial in assisting organizations to understand their risk exposure and financial value at risk, ensuring a fortified cyber risk posture.
In his previous role as Head of Product Innovation - Cyber Risk Quantification at BitSight, Vince led a team of experts in developing innovative solutions that address the complex needs of the company's most strategic clients, including top cyber insurers. Before that, as Head of Cyber Risk Engagements at VisibleRisk, he was responsible for building and leading a team of cyber risk management experts, developing innovative solutions, and driving growth. He also led the successful integration of VisibleRisk’s CRQ solutions into BitSight.
Vince is a Certified - Open FAIR Cyber Risk Quantification Professional and holds a patent for his work on developing new methodologies for cyber risk quantification. He is a frequent speaker at industry conferences and events, and he has been recognized for his contributions to the field of cyber risk management.
Ram Vemula | Product Management - Head of Partnerships | Safe Security
Product Management leader with extensive experience in delivering strong business growth through disruptive product innovations, innovative go-to-market strategies and building strong ecosystem partnerships. Ram Vemula is currently leading product development of Third-Party Risk Management capabilities and establishing technology partnerships with various partners in the risk management and cybersecurity domains. Experienced across all aspects of product management and business development: market-driven requirements and competitive analysis with focus on commercial structure, pre-sales, and adoption.
Former product management leader at Cisco driving growth and partnerships with Service Providers and helping them build managed services portfolios around Cisco’s network and security products.