Reinventing Third Party Cyber Risk: Lessons from the Ancient Maya
By Chris van Schijndel, Senior Director Cyber Risk Management, Kenvue
In ancient Mayan mythology Xibalba, the underworld, is a multi-layered city through which souls must pass, overcoming rivers of scorpions and all manner of toe-curling trials on their way to face judgement. The ancient Maya left offerings in caves and cenotes (believed to be entrances to Xibalba) to appease the gods and aid those passing beyond. This gauntlet of tests, the grave consequences of failure and the desire to exercise control over an unpredictable world, will doubtless all resonate with today’s cybersecurity professionals.
But the parallels extend further. Many current ‘best practices’ in cybersecurity risk have more in common with ancient rituals than practices rooted in measurable security outcomes. None more so than third-party cybersecurity risk assessment, a seven-billion-dollar industry[i].
The Risk Assessment Ritual
Typical third party cyber risk programs concentrate on triaging detailed risk assessment questionnaires, which often take weeks to complete and require significant resources (people and/or technology). These are commonly complemented by outside-in monitoring services and contract redlining, but program resource allocation is typically heavily skewed toward questionnaires.
Many current ‘best practices’ in cybersecurity risk have more in common with ancient rituals than practices rooted in measurable security outcomes
The logic seems intuitive: third parties with poor cyber maturity are more likely to experience incidents; visibility to those third parties enables risk treatment. But does the data support that intuition, and are the security outcomes worth the investment? My team crunched the numbers to answer these questions. The insights have been transformative for our program.
We gathered detailed third party risk assessments (hundreds), outside-in monitoring scores and all our third-party security incidents covering a two-year period, then attempted to correlate cybersecurity maturity with instances of incidents. To our surprise, no correlation could be established. This was true both at the assessment summary level and when looking for correlation with specific controls.
Why might this be?
- Did our assessments ask the wrong questions? Our assessments aligned to industry frameworks, were benchmarked externally, and our process rated highly in independent assessments.
- Were responses from third parties incorrect? Undoubtedly a challenge; however, most organizations are not out to deceive. Lack of even weak correlation points to other conclusions.
- Was our sample size insufficient? In their recent book, Hubbard and Seiersen (2023) present arguments for the reliability of inferences drawn from as few as five random samples from a given data set[ii]. Our sample set was orders-of-magnitude larger.
Conclusion: The industry-typical approach has fundamental flaws. Given the vast complexity of organizational and technological supply chains and the nuance of assessing control design and operating effectiveness, perhaps the real surprise is that practitioners ever thought questionnaires, however detailed, could ever effectively measure risk in this sphere. Like cave-offerings to the gods, detailed third party risk assessments are a ritual; a soothing illusion of control in the face of opacity and peril.
Accepting this conclusion has an uncomfortable implication: a significant amount of the efforts of countless talented risk practitioners, and the seven billion dollars spent on software and services each year, is wasted. Yet, risk assessment remains necessary, not least for program defensibility and compliance. Outlined below is a strategy to meet those needs and provide better risk outcomes.
Call to Action
Should you still be unconvinced of the need for change, please accept this challenge: find conviction about the outcomes your current program delivers by gathering data and facts.
- Does your data prove your risk assessments are good predictors of third-party incidents?
- What percentage of your supplier decisions were influenced by your risk assessments?
- What percentage of risk assessments drove action that measurably mitigated risk?
- Is spending on risk assessment commensurate with the measurable security outcomes?
The Road Through Xibalba
The Mayan mythological text Popol Vuh describes how the ‘Hero Twins’, with courage and fresh thinking, ultimately defeated the Lords of Xibalba. Following that lead, an alternate third party risk strategy is proposed. A strategy that frees up resources in risk assessment and re-balances them towards resilience and continuity:
- Focus on understanding third parties’ impact on your organization more than their likelihood of compromise. Place weight on what you can predict accurately.
- Don’t confuse precision with accuracy. Simplify assessments to focus on egregious gaps. Comparable assessment efficacy with better efficiency and at a higher scale is a win!
- Use machine learning for scale and efficiency. Good predictors of supplier impact may include level of spend, category of supplier and involvement in critical business processes.
- Shift the resources freed-up from risk assessment into building anti-fragility:
- Pre-identify points of contact, decision rights, technical integrations, etc.
- Build and test response and continuity plans, ideally jointly with key third parties.
Scarce cybersecurity resources must be prioritized based on outcomes backed by data, not on tradition and myth. The severity of the threat demands no less of cybersecurity leaders. Effective third-party risk outcomes are in every organization’s self-interest; there are better ways to face the trials of ‘cyber-Xibalba’.
[i] Grand View Research, Third-party Risk Management Market Size, Share & Trends Analysis Report (grandviewresearch.com, 2024)
[ii] Hubbard, Seiersen, How to Measure Anything in Cybersecurity Risk (Wiley, 2023)