Enhancing Third-Party Risk Management:

Moving Beyond Questionnaires

Organizations are increasingly reliant on third-party suppliers to meet various business needs. While sending a cybersecurity questionnaire to potential suppliers is a common practice, it's crucial to recognize the limitations of relying solely on the information provided. The reality is that the responses received may not always be entirely trustworthy.

Challenges with Questionnaire Responses:

• Lack of Knowledge:
• Some suppliers may lack a comprehensive understanding of cybersecurity risks and best practices. Consequently, their responses to cybersecurity questionnaires might be incomplete or inaccurate. This knowledge gap could stem from a variety of factors, including limited resources or a lack of awareness regarding evolving cybersecurity threats.
• Fear of Losing Business:
• Suppliers may harbour reservations about disclosing detailed information regarding their cybersecurity posture, fearing potential repercussions on the business relationship. The competitive nature of certain industries might drive suppliers to downplay vulnerabilities, reluctant to appear less secure than their counterparts and risk losing business opportunities.
• Deliberate Deception:
• Regrettably, there is the possibility of intentional misinformation. Some suppliers may deliberately provide false information in an attempt to project a more robust cybersecurity posture than they actually possess. This deceptive practice can undermine the effectiveness of a cybersecurity assessment, leading organizations to make decisions based on inaccurate or inflated security claims.

The Role of External Cyber Risk Assessment Platforms:

To address the limitations of traditional cybersecurity questionnaires, organizations are turning to advanced solutions such as the Black Kite Cyber Risk Assessment Platform. This platform revolutionizes Third-Party Risk Management (TPRM) by leveraging open-source intelligence (OSINT) techniques and standardized scoring models to evaluate suppliers across three critical domains: Financial Risk, Technical Risk, and Compliance Risk.

• Technical Risks:
• The platform employs a non-intrusive approach, examining the target domain and infrastructure landscape without touching the actual environment. This ensures a comprehensive assessment without posing any risk to the supplier's systems. The use of standard scoring models like MITRE CTSA and CWRAF translates technical complexities into easily understandable business language for executives.
• Financial Risk:
• Leveraging the Open FAIR™ standard, the platform quantifies the probable financial impact of cyberattacks. By automating the measurement of financial risks for both the organization and its suppliers, the platform provides a nuanced understanding of the potential economic consequences of cybersecurity incidents.
• Compliance Risk:
• The platform assesses compliance against industry standards such as NIST 800-53, ISO27001, PCI-DSS, HIPAA, GDPR, and Shared Assessments. It not only measures the compliance level of a supplier but also streamlines the process by allowing the upload of evidential proof, automating the mapping of content to known standards.

While sending questionnaires remains a valuable component of the TPRM process, the limitations of such self-reported data necessitate a more comprehensive approach. External platforms like Black Kite offer organizations a robust and objective means of assessing third-party cybersecurity risks, mitigating the potential pitfalls associated with inaccurate or incomplete questionnaire responses.

As the cyber threat landscape continues to evolve, embracing advanced tools becomes imperative for organizations committed to ensuring the security and resilience of their supply chain.