Ever catch yourself thinking that there are a thousand channels but there’s still nothing to watch on television? In the era before dedicated networks, streaming services, and on-demand programming, cartoon binge-watching consisted of five hours every Saturday morning, featuring tiny blue creatures, crime-fighting teenagers (and a mangy mutt), and superheroes. Among our favorites were the Wonder Twins, extraterrestrial siblings whose shapeshifting powers are activated when they unite. Third-party risk management (TPRM) and cyber risk ratings (CRR) are not exactly extraterrestrials or twins, but their power to fight third-party risk is amplified when used together, making security and risk pros the beneficiaries of the alliance.
Despite being junior members of the Super Friends squad, the Wonder Twins are a formidable duo. When they activate their powers, Jayna assumes the form of an animal and Zan morphs into any form of water. The key to their success: picking forms that intentionally complement each other. For security and risk pros, TPRM’s “inside-out” and CRR’s “outside-in” data are the Jayna and Zan that your security program needs — no fist bumps or magic phrases required (unless you want to).
Cyber risk ratings have gained momentum in recent years to continuously monitor orgs’ external attack surfaces. While these ratings still have major limitations on their own (i.e., being based on observable “outside-in” data only), they can augment third-party risk management programs with an added layer of security data. Risk ratings supplement assessment questionnaires, provide a point-in-time view of a firm’s external security posture, and allow for monitoring third parties for changes over time. They play a powerful role in helping security and risk pros:
- Inform partnership decisions for new/existing third parties. In early stages of evaluation, cyber ratings can steer third-party selection, guide contracts, and help the onboarding process.
- Augment security assessment data. Because CRR are based on external data, they won’t single-handedly fulfill due-diligence requirements for frameworks such as NIST, PCI, or ISO 27001, but they reduce the time spent reviewing responses and verifying answers.
- Prioritize third-party risk mitigation and remediation. They provide a way to gather information quickly to triage potential risks and add an additional lens to prioritize which third-party risks should be remediated first.
- Support underwriting cyber insurance. Cyber ratings help companies validate security posture and maturity to support the cyber insurance underwriting process.
- Continuously monitor third parties’ external security posture. Cyber ratings continuously monitor changes to the cybersecurity posture of portfolio companies.
But cyber risk ratings do not replace third-party risk management programs. Like the Wonder Twins, these two perform entirely separate functions — the value is in where they can be combined. Unsurprisingly, CRR only measure the cybersecurity domain, which is only one dimension of third-party risk. Our latest report, Cybersecurity Risk Ratings Remain A Valuable Piece Of The Third-Party Risk Puzzle, details five use cases that security and risk pros can use today to active their superpowers.