The security landscape has undergone a significant shift in recent years, with third-party risk emerging as a critical concern for organizations of all sizes. As businesses increasingly rely on external vendors and service providers, the attack surface has expanded exponentially, making it increasingly difficult to maintain control over the security of these third-party relationships.
In a webcast sponsored by Dataminr, Adrian Sanabria, host of the Enterprise Security Weekly podcast, and Jack Carraway, Field CISO at Dataminr, delved into the challenges of managing third-party risk and explored how organizations can leverage AI and public data to gain better control over this growing threat.
Carraway highlighted the staggering statistics surrounding third-party risk, noting that despite a substantial increase in time and resources dedicated to the problem, incidents have continued to rise, with 87% of organizations experiencing a third-party risk issue in the past year.
The damages from these incidents can reach up to $1 billion per incident, underscoring the critical nature of this challenge. One of the key factors contributing to the rise in third-party risk is the increasing reliance on cloud-based services, SaaS applications, and open-source code, which can make it difficult to maintain visibility and control over the security posture of these external entities.
Attackers have also recognized the value of targeting third parties, as a successful breach of a single vendor can provide access to multiple downstream organizations, amplifying the impact of the attack.
Carraway emphasized the limitations of traditional risk management practices when applied to third parties, as organizations often lack the direct oversight and visibility into the security measures implemented by their vendors.
This has led to a growing need for alternative approaches, such as leveraging public data to continuously monitor the security posture of third parties. By tapping into publicly available information, organizations can gain early detection of vulnerabilities, exploits, and data breaches affecting their third-party providers. This allows them to take proactive measures to mitigate the impact, such as isolating affected networks, initiating backup plans, and anticipating potential DDoS attacks.
The webcast also highlighted the role of AI in enhancing third-party risk management. By employing generative AI models, organizations can generate meaningful summaries and updates as security situations develop, providing a more comprehensive understanding of the evolving threat landscape.
Additionally, the use of predictive AI can help organizations anticipate and respond to emerging risks more effectively. Carraway emphasized the importance of selecting AI solutions that are domain-specific and solve concrete problems, rather than relying on abstract promises of efficiency.
Reliability and transparency are key factors in evaluating AI-powered tools, as organizations need to trust the insights and recommendations provided by these systems. The discussion also touched on best practices for implementing third-party risk management programs, including mapping third-party relationships, identifying critical assets, and conducting initial assessments.
Carraway stressed the importance of clear contractual requirements, regular security audits, and incident response planning to ensure the resilience of these external partnerships.
As the webcast concluded, Sanabria and Carraway underscored the need for a multi-disciplinary approach to third-party risk management, encompassing compliance, regulatory, and reputational risks, in addition to the cybersecurity aspects.
By leveraging AI and public data, organizations can gain a more comprehensive understanding of their third-party ecosystem and take proactive steps to mitigate the growing threat of third-party risk.
