How Cyber Security Raters and Other Vendors May Help You Diffuse Third-Party Cyber Risk

By: | August 5, 2020

John (Jack) Hampton was a Professor of Business at St. Peter’s University, a core faculty member at the International School of Management (Paris), and a Risk Insider at Risk and Insurance magazine where he was named a 2018 All Star. He was Executive Director of the Risk and Insurance Management Society (RIMS), dean of the schools of business at Seton Hall and Connecticut State universities, and provost of the College of Insurance and SUNY Maritime College in New York City.

Ah, just give me the facts.

“Personal computers will never replace large scale mainframe computers.”

Of course they won’t. Companies will not trust employees to download sensitive corporate data to local PC harddrives. Spreadsheets without passwords will never leave the window-less rooms of the data processing department.

The year was 1983.

“Cyber security will never be outsourced to third-party service providers.”

No need to do it. Organizations will build their own information technology units to deny access to outsiders who attempt to breach their cyber walls.

Of course they will. When troublemakers try to sneak through their system doorways, they will raise the drawbridge that crosses the cyber moat.

The year was 2008.

“To be truly secure, we need the world’s best cyber security team.” Each organization will build its own to handle attempted misbehavior.

The year is 2020.

These attitudes reflect an understanding of the past. Today, cyber security needs a fresh perspective.

The walls are tall at 30 feet. Only governments, criminal associations, and ultra-skilled individuals have 31-foot ladders.

When walls reach 33 feet, these players will develop the newly-improved 35-footer.

Protecting the walls is likely to be a forever project.

The doors in the cyber walls are something else. We open them today. We will always open them. That’s one of the nice things about a doorway. Only Santa Claus has to go down the chimney.

As we continue to open doors, true cyber security has to answer a simple question. “Who do authorized parties bring with them when we open the cyber door?”

Answering this question requires the CEO and board of trustees to ask, “How much will it cost for sufficient resources to identify and restrict potentially-compromised visitors?”

This would have been a daunting question in 1983 or 2008. The answer for many entities was, “Too much.”

Today, the answer may be, “Not so much.” Two parallel developments are occurring.

  • Cyber Security Raters. A growing cyber risk market is forming around companies that help you understand the exposure represented by suppliers, distributors, customers, and strangers who knock on the door. They rate the level of cyber risk posed by each party and alert you to parties that should be denied entry, or at least be frisked for a hidden weapon.
  • Microservice Architects. These companies help divide a single integrated computer system into discrete self-contained modules separated by their own secure internal doorways. When an organization restricts individuals who unleash a cyber loss, the whole system is not affected.

Think about what it means if an organization converts to a microservice architecture monitored by a cyber security rater. A person knocks on the cyber wall door triggering risk management responses:

  • Risk Identification. Who is it? What do they want?
  • Risk prevention. What is the visitor’s cyber score separately from our own knowledge? Do we open the door for people in this category? If yes, where do we allow them to go.
  • Risk mitigation. Even if they get in, visits are restricted to a single area.
  • Risk avoidance. If visitation is restricted, no harm is done in other areas.

Many organizations are likely to be evaluating cyber security ratings and microservice architecture in the near future.

Maybe not all. You can hear it now.

  • “We can’t afford to hire someone to give us cyber risk scores on our visitors.”
  • “We have to trust our suppliers and partners to stay in their authorized area.”
  • “Even though our system has legacy features that make us vulnerable, we can live with the exposures.”

These statements encourage a time check. Is it still 1983? Is it 2008? Is it 2020?

Or, if we don’t make changes, will it soon be too late? &

More from Risk & Insurance

More from Risk & Insurance