blog-hero-background-image
Third Party Risk Management

How Should Enterprise CISOs Structure TPRM Teams?

backdrop
Table of Contents

Join thousands of professionals and get the latest insight on Compliance & Cybersecurity.


‘How do I mitigate vendor risks?’

That’s a common question in my chats with CISOs and IT executives. Being a tech enthusiast and as stressed in previous guides, my usual suggestion is: Leverage technology and streamlined processes to: 

These are all crucial factors.

But often, CISOs come back seeking help on how best to build and structure their third-party risk management (TPRM) teams. Each time this happens, I’m reminded of these words by Dave Buster: 

 

Dave Buster - Quote

 

Dave couldn’t say it better. The right TPRM framework, technology, and automated processes won’t work on their own. So to mitigate risks in our ever-expanding vendor landscape, you need: 

  1. A dedicated vendor risk management team
  2. An effective TPRM reporting structure

Starting with the latter, I’d cover both in this guide. 

 

Third-Party Risk Management Reporting Structure

Get the right people, and you can rest assured your vendor risk management program is in good hands. Design an effective reporting structure for your TPRM team, and you can be sure the right info reaches you (and the C-Suite) at the right time. 

The challenge: 

What should such a TPRM reporting structure look like? 

It ultimately depends on your organization type and overall size of your cybersecurity team. Generally though, experts recommend a centralized TPRM reporting structure:

 

centralized TPRM reporting structure

 

As illustrated above, a centralized structure eliminates silos and can be more effective for two reasons:

  1. The CISO and Senior Management get real-time insight into how subteams are implementing the TPRM program. 
  2. Subteams overseeing various aspects of your TPRM program can track teammates’ actions and act proactively.

If this reporting structure makes sense to you, as it does for most enterprise security execs, the next hurdle I often hear is: What are the roles and responsibilities of subteams dedicated to each step? 

The rest of this guide addresses that. As we proceed, you’ll also see how our interoperable cybersecurity platform helps enterprise security teams automate and report critical TPRM processes

Before we dive in… 

illustration background

Join SMSW

Join CISOs, CTOs, and enterprise security execs subscribed to Secure My Software Weekly (SMSW) for actionable cybersecurity, risk and compliance insights.

card image

Enterprise TPRM Team Roles and Responsibilities 

When filling critical roles in your TPRM team and assigning responsibilities, diversity is highly recommended. The Institute of Critical Infrastructure Technology, in a study titled, “The Business Value of a Diverse InfoSec Team,” reiterated this. 

According to their research

 

The-Institute-of-Critical-Infrastructure-Technology-ICIT

 

So while the centralized reporting structure above helps, it is crucial to keep diversity in mind as you fill the TPRM roles below. 

 

TPRM Program Director/Manager

This individual or team owns the TPRM program. 

High-performers have a balance of demonstrable risk management skills, extensive training, experience, and the ability to coordinate all subteams. They report to you, the CISO, and usually, their primary responsibilities would be to help you:

  • Champion and advocate for the maturity of your TPRM program and develop key partnerships across the org to ensure alignment with your company’s overall 3rd party strategy.
  • Design and oversee the implementation of your TPRM framework and operating procedures needed to integrate necessary security controls per your business functions. 
  • Establish relevant TPRM program metrics, Service Level Agreements (SLAs), Key Risk Indicators (KRIs), and Key Performance Indicators (KPIs) for managing all vendor risks. 
  • Design security guardrails for selecting vendors, and define security scores and controls 3rd parties must retain before they can be considered and let into your third-party ecosystem. 

 

Vendor Assessments & Onboarding Subteam

The core responsibility of specialist(s) on this subteam is enforcing the security guidelines defined by the TPRM Program Director, which new vendors must meet. Specifically, this includes: 

  • Vetting, profiling, and tiering vendors
  • Creating and implementing custom security audits or exams.
  • Choosing and right-sizing appropriate security assessment questionnaire templates for select vendors.
  • Onboarding vendors with acceptable security controls, etc. 

Imagine doing all that with this:

 

TPRM assessment Question

 

Josh Angert, Manager at Vendor Centric, observed how core functions of this subteam, if done manually with Excel, can lead to inconsistent vendor risk tiering, wasted time, and poor assessments. 

In his words:  

 

Josh Angert - Quote

 

As Josh advised, to curb vendor risk assessment bottlenecks, CISOs can leverage a vendor risk management system to standardize processes. 

That’s where Cyber Sierra comes in: 

 

vendor risk management system to standardize processes

 

As shown, our system streamlines the gruesome vendor tiering, assessment, and onboarding processes into three easy steps. For instance, your team can profile vendors based on their business type, location, and easily tier those requiring advanced assessments. 

illustration background

Automate Vendor Risk Assessments

Cyber Sierra streamlines crucial vendor assessment processes, so enterprise TPRM teams can compile reports faster.

card image

Vendor Risk Monitoring & Remediation Subteam

This subteam usually comprises risk detection and mitigation experts, each assigned to one or a group of vendors. They work closely with the security assessment subteam, share insights within each other, and report to the TPRM Program Director, or you, the CISO. 

Some core responsibilities include: 

  • Own assigned third-party vendors and manage their risks. 
  • Perform daily or weekly risk management tasks on assigned vendors, according to your company’s instituted TPRM program. 
  • Detect, mitigate, and report risks posed by third-parties, and work with them and the DevSecOps team to remediate the same. 
  • Flag third-parties that should be terminated, and in most cases, oversee the offboarding of flagged high-risk vendors. 

One way to empower this subteam is through software that enables ongoing vendor risk monitoring. This helps them identify vendors whose security controls become outdated and can’t be verified. 

Again, Cyber Sierra automates this: 

 

ongoing vendor risk monitoring

 

Our platform uses standardized enterprise security controls to auto-check evidence uploaded by vendors on an ongoing basis. As shown above, you get alerted of those that fail verification, flagging your team to immediately work with the vendor to enforce them. 

 

TPRM Program Auditors

According to Vikrant Rai

 

Vikranti Rai - Quote

 

In other words, having internal (and external) auditors is a must-have. They perform systematic evaluations of your company’s implemented TPRM framework, documentation, processes, and security controls. This enables them to document weaknesses that must be addressed and usually report directly to the CISOs, IT executives, and the TPRM Program Director/Manager. 

 

How Many People Should Be On My TPRM Team?

 There’s no magic number. 

Generally, the more vendors you manage, the more risk exposure your team may have to deal with, and the more people required. But all third-parties aren’t created equal. In a sample of, say, 200 vendors, only 5-10% (i.e., 10-20) may be high-risk or critical to your company’s operations. In a centralized reporting structure, where processes have been automated, 1-2 full-time employees (FTEs) on your risk monitoring and remediation subteam can manage such vendors closely, in addition to reviewing others occasionally. 

Going by this logic, the number of people you may need on your enterprise TPRM team should be around:

  • 1–3 FTEs for up to 200 vendors. 
  • 3–5 FTEs for 200 – 600 vendors. 
  • One (1) additional FTE for every 100–200 vendors beyond that. 

You may be wondering: 

How about the assessment and vendor onboarding subteam? 

Well, by automating processes with a tool like Cyber Sierra, your TPRM Director can vet, assess, and onboard vendors in a few steps because those critical to-dos have been streamlined. For instance, they can choose from standard security assessment questionnaires already built into our platform, customize per your company’s needs, and send to vendors: 

 

automating processes with a tool

 

Make Your TPRM Team More Effective

In a cybersecurity survey reported by Graphus:

 

cybersecurity survey reported by Graphus

 

This finding proves that, irrespective of how many full-time employees (FTEs) on your TPRM team or reporting structure, automation is needed to make them more effective.  

Third-party risk expert, Ian Terry, agrees

 

Ian Terry - Quote

 

We built Cyber Sierra to enable enterprise TPRM teams to achieve this needed automation and become more effective. From tiering critical vendors to continuous security assessments, and ongoing risk monitoring, our platform automates the steps required. 

Want to see it for yourself? 

illustration background

Automate Crucial Vendor Risk Management Process

Cyber Sierra streamlines crucial vendor assessment processes, so enterprise TPRM teams can compile reports faster.

card image
  • Third Party Risk Management
  • CISOs
  • CTOs
  • Cybersecurity Enthusiasts
  • Enterprise Leaders
  • Startup Founders
Pramodh Rai

Meet Pramodh Rai, a technology aficionado and Cyber Sierra's co-founder, whose zest for innovation is fuelled by a cupboard stacked with zero-sugar Redbull. With a nimble footwork through the tech tulips across Asia Pacific, he's donned hats at Hmlet (the proptech kind) and Funding Societies | Modalku, building high-performing teams and technologies. A Barclays prodigy with dual degrees from Nanyang Technological University, Pramodh is a treasure trove of wisdom, dad jokes, and everything product/tech. He's the Sherpa in sneakers you need.

A weekly newsletter sharing actionable tips for CTOs & CISOs to secure their software.


Thank you for subscribing!

Please check your email to confirm your email address.

Find out how we can assist you in
completing your compliance journey.

blog-hero-background-image
Third Party Risk Management

How to Choose (and Implement) Relevant TPRM Frameworks

backdrop
Table of Contents

Join thousands of professionals and get the latest insight on Compliance & Cybersecurity.


What do Toyota, Okta, and Keybank have in common? 

On the surface, not much, given they operate in different sectors —car manufacturing, B2B software, and banking, respectively. But review recent cyberattacks that made the news, and you’ll see the commonality: They all suffered major data breaches in 2022 through third-party vendors. Given these are global enterprises, one would argue they had some kind of Third-Party Risk Management (TPRM) framework in place. 

It begs the question: 

Why do companies suffer data breaches through third-parties, despite having some way to manage risks?

If you’re a CISO or an enterprise security exec pondering over that question, here’s the likely answer. First, choosing the right TPRM framework is crucial, but it’s not enough. This is because no matter how good one may be, it is only useful if effectively implemented. 

And that brings us to the rest of this article. 

We’d explore the top enterprise TPRM frameworks you can choose from. More importantly, you’ll see how our interoperable cybersecurity platform, Cyber Sierra, effectively streamlines their implementation. 

illustration background

Join SMSW

Join CISOs, CTOs, and enterprise security execs subscribed to Secure My Software Weekly (SMSW) for actionable cybersecurity, risk and compliance insights.

card image

The Top Enterprise TPRM Frameworks

According to a report by RSI Security

 

RSI Security - Quote

 

In other words, TPRM frameworks developed by NIST and ISO come recommended. But there are variations of these, so choosing which ones to implement should be based on your company’s specific needs. 

To help you do that, below are the various frameworks designed by both institutions and their relevance to enterprise TPRM. 

 

1. NIST Supply Chain Risk Management Framework (SCRMF) 800-161

NIST 800-161 was developed to supplement the NIST 800-53 designed specifically to help federal entities manage supply chain risks. 

However, given the large number of 3rd parties enterprise organizations now work with, private sector organizations can also adopt NIST 800-161. This framework breaks down the supply chain or vendor risk management process into four phases: 

  1. Frame, 
  2. Access, 
  3. Respond, and
  4. Monitor: 

 

Risk Management Process

 

Across these phases, there are 19 data security control themes, ranging from employee training to systems and service acquisition.

 

2. NIST Vendor Risk Management Framework (RMF) 800-37

Originally developed in 2005, the National Institute of Standards and Technology (NIST) revised this framework in 2018. 

Generally, the NIST 800-37 RMF outlines steps companies can take to protect their data and systems. This includes assessing the security of systems, analyzing threats, and implementing data security controls. For vendor risk management purposes, section 2.8 of the framework specifically fits the bill. It is invaluable as it helps security teams consider relevant risk mitigation tactics for onboarding new third-parties. 

 

3. NIST Cybersecurity Framework (CSF)

Considered the gold standard for building robust data security programs, the NIST Cybersecurity Framework can also be used when designing third-party risk management processes. Specifically, this framework outlines the best practices for creating vendor risk assessment questionnaires

Base your third-party risk assessment questionnaires on security controls in the NIST CSF framework, and your team can accurately assess potential vendors’ cyber threat profiles. This is especially useful for enterprise organizations with strict privacy or regulatory compliance concerns.

 

4. ISO 27001, 27002, and 27018

The International Organization for Standardization (ISO) developed the ISO 27001, 27002, and 27018 standards. Although known more for implementing governance, risk, and compliance (GRC) programs, these standards can also be used in creating frameworks for evaluating third-party risks. 

Specifically, each of these standards have sections guiding security teams to ensure their vendor risk assessments are thorough. This is in addition to each standard helping your team manage a broader information security program across your organization.  

 

5. ISO 27036

Unlike other ISO standards focused more on companies’ overall GRC programs, ISO 27036 series helps organizations manage risks arising from the acquisition of goods and services from suppliers. 

ISO 27036 has provisions for addressing physical risks arising from working with professionals such as cleaners, security guards, delivery services, etc. It also has more standard processes for working with cloud service providers, data domiciles, and others. 

 

Elements of an Effective Vendor Risk Management Framework

Notice something in the frameworks above? 

Each addresses an element of the TPRM implementation process. For instance, NIST 800-37 enforces risk mitigation tactics for onboarding vendors while the ISO 27001 standard helps security teams design comprehensive risk assessment questionnaires. 

This means two things: 

First, for effective vendor risk management, companies may need to combine elements from various TPRM frameworks. The elements (or components) to keep in mind are illustrated below: 

 

Elements of an Effective Vendor Risk Management Framework

 

Secondly, because trying to cut off sections of various frameworks to achieve all necessary elements is too much manual work, there’s a need to streamline the process with a TPRM tool

This is where Cyber Sierra comes in: 

 

streamline the process with a TPRM tool.

 

As shown above, our interoperable cybersecurity platform integrates NIST and ISO TPRM frameworks into easy-to-use templates for streamlined implementation. 

 

How to Streamline Third-Party Risk Management Framework Implementation

Effective implementation of an enterprise TPRM framework must have all elements illustrated above. Specifically, it must include components for ongoing risk assessment, due diligence, contractual agreements, incidence response, and continuous monitoring. 

Here’s how Cyber Sierra automates the critical ones. 

 

Risk Assessment

This element of a TPRM framework focuses on assessing risks associated with potential third-party vendors. It involves using security questionnaires to evaluate vendors’ security practices, reputation, financial stability, and others. 

But there’s a caveat. 

Assessee tier (basic or advanced) and possible threats to deal with often depends on a vendor type and their geographic location. To this end, Cyber Sierra enforces security teams to choose a vendor type, geographic location, and if an advanced assessment is needed when initiating each third-party risk assessment flow: 

 

Risk Assessment

 

Due Diligence

A study by the Ponemon Institute revealed why due diligence is a core component of an effective-implemented TPRM framework. 

They found that: 

 

why due diligence is a core component of an effective-implemented TPRM framework

 

In other words, don’t expect 3rd parties to be honest about responses to risk assessments on their threat profiles. Instead, use a TPRM platform like Cyber Sierra to auto-verify and automate due diligence on evidence uploaded for each security assessment question: 

 

 

Contractual Agreements

This component of implementing a TPRM framework requires working with trained legal and compliance professionals. Such expertise is needed for designing custom contractual agreements that effectively outline each 3rd party’s security obligations, requirements, and expectations relative to risk management. 

 

Incidence Response

How will your security team respond to cyber risks and security threats that emerge from vendors in your supply chain network? 

This element of an implemented TPRM framework addresses that crucial question. It involves establishing proactive measures for remediating data threats and cyber risks arising from 3rd party vendors in your entire supply chain network. 

But to respond to incidents, your security teams must first identify them before they lead to a data breach. This requires proper implementation of the fifth element of a TPRM framework. 

 

Continuous Monitoring

This element of a TPRM framework entails: 

  • Monitoring third-party security controls based on implemented risk management, governance, and compliance policies.
  • Verifying third-parties’ uploaded evidence of meeting their obligation of having required risk management controls.
  • Identifying and flagging vendors in your supply chain network without that fail to meet data security requirements. 

Cyber Sierra streamlines these gruesome processes for vendors and organizations. First, our platform enforces ongoing third-party risk monitoring by auto-verifying 3rd parties’ uploaded evidence of having required security controls. 

You can enforce this by asking vendors managed with the Cyber Sierra platform to click on “Get Verified,” say, monthly: 

assessment questions

 

On your team’s dashboard view, our platform automatically verifies vendors’ uploaded evidence of having mandated security controls. 

It also flags evidence that fails verification and your team can work with vendors to resolve them on the same pane:

Assessment Request

 

Implement TPRM Frameworks In One Place

As demonstrated in the steps above, you can implement critical elements of an enterprise vendor risk management program with Cyber Sierra. More importantly, our platform lets you choose between the NIST or ISO TPRM frameworks: 

 

streamline the process with a TPRM tool.

 

This means whichever recommended framework makes more sense for assessing and managing third-party vendor risks in your supply chain, you can do it with our platform without jumping loops. 

You can even use both for specific vendors. 

illustration background

Choose (and Implement) Recommended Enterprise TPRM Framework In One Place

Book a free demo to see how Cyber Sierra easily streamlines TPRM Programs for enterprise organizations.

card image
  • Third Party Risk Management
  • CISOs
  • CTOs
  • Cybersecurity Enthusiasts
  • Enterprise Leaders
  • Startup Founders
Pramodh Rai

Meet Pramodh Rai, a technology aficionado and Cyber Sierra's co-founder, whose zest for innovation is fuelled by a cupboard stacked with zero-sugar Redbull. With a nimble footwork through the tech tulips across Asia Pacific, he's donned hats at Hmlet (the proptech kind) and Funding Societies | Modalku, building high-performing teams and technologies. A Barclays prodigy with dual degrees from Nanyang Technological University, Pramodh is a treasure trove of wisdom, dad jokes, and everything product/tech. He's the Sherpa in sneakers you need.

A weekly newsletter sharing actionable tips for CTOs & CISOs to secure their software.


Thank you for subscribing!

Please check your email to confirm your email address.

Find out how we can assist you in
completing your compliance journey.

blog-hero-background-image
Third Party Risk Management

Experts Weigh In: How Top Organizations Are Tackling Third-party Risk Management in the Digital Age

backdrop
Table of Contents

Join thousands of professionals and get the latest insight on Compliance & Cybersecurity.


In the digital age, third-party risk management has become a critical concern for organizations. Top companies are taking proactive measures to protect themselves from potential cyber attacks and data breaches caused by their vendors and partners.

To tackle this issue, they are adopting several best practices, including getting cyber insurance to mitigate financial losses, ensuring compliance certifications of their third-party vendors, vendor due diligence, and periodic risk assessments to strengthen their security posture. These measures help organizations to minimize their exposure to cyber threats and ensure the integrity and confidentiality of their data.

We asked business heads how they tackle third-party risk management when they work with vendors, and here are the top three answers! 

  • Get Cyber Insurance
  • ISO 27001, SOC 2, and PCI DSS
  • Implementation of Two-factor Authentication Policies

Read on to know more on why they believe these to be an effective way to tackle third-party risks.

TPRM feature image

Get Cyber Insurance

Cybercriminals often target third-party vendors because they don’t have the same level of security as the company they work for. A good indicator of whether a vendor has adequate cybersecurity is whether they have signed up for a cyber insurance policy.

Matthew Ramirez
CEO, Rephrasely
quote_by

“When you work with third-party vendors, it’s essential that they have a solid cybersecurity program in place. Cybercriminals often target third-party vendors because they don’t have the same level of security as the company they work for. A good indicator of whether a vendor has adequate cybersecurity is whether they have signed up for a cyber insurance policy. This shows that they have taken steps to protect themselves from any financial fallout from a data breach.”

Matthew Ramirez, CEO, Rephrasely

Look for Compliance Certifications

By assessing vendors against these security frameworks, businesses can gain assurance that the vendor has implemented appropriate security controls and processes to protect against cybersecurity risks.

Brad Cummins
Founder, Insurance Geek
quote_by

When working with vendors, one critical cybersecurity marker to look for is their compliance with industry-standard security frameworks and certifications, such as ISO 27001, SOC 2, and PCI DSS. These frameworks provide a comprehensive set of security controls and best practices that vendors can deploy to ensure the security and privacy of their systems and data.

By assessing vendors against these security frameworks, businesses can gain assurance that the vendor has implemented appropriate security controls and processes to protect against cybersecurity risks. Additionally, compliance with these frameworks can be used to establish security and privacy requirements in contracts and service-level agreements (SLAs). It is important to note that compliance with security frameworks does not guarantee complete security; it demonstrates that the vendor has taken steps to protect their systems and data.

Brad Cummins, Founder, Insurance Geek

Implementation of Two-factor Authentication Policies

Implementing the 2FA process makes life harder for hackers, preventing passwords from being stolen or guessed.

Jose Gomez
CTO and Founder, Evinex
quote_by

Two-factor authentication (2FA) adds extra layers of complexity and security to the login process by going a step beyond simply entering usernames and passwords. Rather, two-factor identification requires an additional PIN code, token, or fingerprint to verify our identity.

This process makes life harder for hackers, essentially preventing situations where passwords may be stolen or guessed. It significantly reduces the chances of someone outside our organization gaining unauthorized access.

Jose Gomez, CTO and Founder, Evinex

  • Third Party Risk Management
  • CTOs
  • Enterprise Leaders
  • Startup Founders
Srividhya Karthik

Srividhya Karthik is a seasoned content marketer and the Head of Marketing at Cyber Sierra. With a firm belief in the power of storytelling, she brings years of experience to create engaging narratives that captivate audiences. She also brings valuable insights from her work in the field of cybersecurity and compliance, possessing a deep understanding of the challenges and pain points faced by customers in these domains.

Find out how we can assist you in completing your compliance journey.

toaster icon

Thank you for reaching out to us!

We will get back to you soon.