Читать книгу Cybersecurity and Third-Party Risk - Gregory C. Rasner - Страница 22

Military science uses a term called force multiplier, which refers to a combination of circumstances that gives personnel the ability to amplify their normal capabilities to achieve greater goals. In modern times, the Global Positioning System (GPS) has been a force multiplier, as it enabled more personnel to be moved at a faster pace due to the capabilities added from the technology. In the U.S. Special Forces, a lot of time is spent on creating and training local fighter forces as a form of a force multiplier. The small force of a 12‐man unit can go out and lead a unit of 100–200 local fighters. The force multiplier here is the U.S. Special Forces troops growing in strength from 12 to 200. A cybersecurity team, partnering with TPRM, can be a force multiplier to strengthen the risk management of third parties.

As understood, the cybersecurity field is complex and full of certifications, specialties, technical details, and domains. This complexity can be simplified for a TPRM team when a specialized team of cybersecurity professionals are able to execute on an active threat hunting mentality in reference to third parties. The whole TPRM and business risk teams do not have to be experts in information security, but they can use the force multiplier effect of a few good cybersecurity special forces. These special forces are trained to monitor security controls at vendors, to ensure that enemy forces are reined in by contractual obligations, to constantly watch for new threats, and to partner with vendors to train their local forces to better fight the enemy directly. The collaboration and teamwork between the cyber and TPRM professionals continually sharing and updating reference documents multiplies the strengths of both teams.

TPRM must grow its strength in cybersecurity. Cybersecurity must increase its own research, resources, and results on third‐party risk. For those in business and cybersecurity as well as TPRM, this is an opportunity to exponentially grow cybersecurity across industries. If the TPRM process grew its cybersecurity with a force multiplier approach, and cybersecurity research and resources were focused more on third‐party risk, we would more broadly adopt what is required: a rethink of cybersecurity and third‐party risk. This adoption would include a practice around vendor risk management that places cybersecurity at the forefront, and a cybersecurity team that uses the same resources as cyber operations threat analysts.

The earlier statistic that stated the average company is connected with 600 vendors with PII becomes the exponential part. As more companies adopt a cybersecurity and third‐party risk approach and are able to partner with these vendors, across multiple industries, we get real security change across all the third parties. It's a simple math equation: It becomes a multiplier for better corporate information security across the globe.