It is a scenario eerily familiar to our times. When one body is put at risk, so is everybody in contact with it.
Being part of a resilient community can reduce that risk. In epidemiology, it is called “herd immunity.” In cybersecurity, third-party risk management (TPRM) is supposed to provide it. In the same way a disease peters out when it cannot contaminate enough people, a breach cannot spread when its surroundings are secure.
But the “me versus them” mentality of standard TPRM approaches makes that resilience difficult to achieve. Third parties tend to be an afterthought in cybersecurity; fourth parties and beyond tend to be ignored entirely.
Businesses often assume that third-party risk can be managed based on the amount of data shared or its sensitivity. That is not wholly misled, but it does ignore that a breach affecting some innocuous data can rapidly infect other areas. An ecosystem approach solves that by reorienting cybersecurity, and by extension TPRM, around a collective “us.”
An ecosystem approach takes the "me versus them" mentality of standard TPRM and reorients it around a collective "us.”
This new approach to cyber resilience is timely.
The average cost of a data breach included in IBM’s 2022 Cost of a data breach report is higher than ever at US$4.35 million, and almost one-fifth of the breaches resulted from a business partner being compromised. Their costs and containment times were higher than the averages across all breaches, and their identification times were longer.
This report offers the following perspectives to address the problem:
- The status of TPRM in cybersecurity
- Third-party value chains versus platform-based ecosystems
- Balancing inherent risk with residual risk
- Aspirational versus operational considerations
