TPRM in a Post-CrowdStrike World
8–5–2024 (Monday)
Hello and welcome to The Intentional Brief - your weekly video update on the one big thing in cybersecurity for growth stage companies, investors, and management teams.
I’m your host, Shay Colson, Managing Partner at Intentional Cybersecurity, and you can find us online at intentionalcyber.com.
Today is Monday, August 5, 2024, and we’re back from a couple of weeks on the road with clients. Now that the dust around the Great CrowdStrike Event of 2024 has settled some, I think it’s worth taking a little step back and looking at the larger lessons available to us here.
TPRM in a Post-CrowdStrike World
It seems like Delta and CrowdStrike are looking to settle their score in public - with both attorneys and CEOs making statements in papers and websites left and right. I’m not going to settle that score, but it is interesting to see Secretary of Transportation Pete Buttigieg weighing in on their ongoing investigation.
What’s really interesting here, though, is the friction between the issue and the impact. That’s really the core of third-party risk management (TPRM) - it seems like it’s about the third parties, but it’s actually about protecting your own business’ ability to operate in a contingency situation.
Which, clearly, Delta failed to do and is now trying to recoup damages by other means.
The key to building a good TPRM , which is so often overlooked, is that it has to start with a fundamental understanding of how third parties support your business operations from a holistic perspective - in this case, encompassing Confidentiality, Integrity, and Availability.
Can you trust them to keep your data safe?
Can you trust the data you give or receive from them?
And can you get that data or service when you need to?
It’s this last pillar of the triad - availability - that’s so often overlooked. We spend a lot of time worrying about data loss, especially in the ransomware context - but that’s because attackers are leveraging a regulatory framework against their victims. Remember, the original ransomware was an availability attack, and to some extent an integrity play. Attackers wouldn’t steal the data, they’d just lock up the machines and ask for the ransom to unlock it.
Turns out, between backups and the fact that encrypted data isn’t a “reportable” breach, meant that the sense of urgency to pay wasn’t there. As a result, attackers started exfiltrating the data first, and then encrypting or deleting it after they’d already had it. You can have backups that keep you operational, but a reportable breach is really where the leverage is - and where defender’s attention naturally focused.
In some ways, I’m glad to see that the “Availability” pillar is going to be getting some attention again. In working with clients around the NIST Cybersecurity Framework, I’ve always found these areas were glossed over - things like true contingency planning, understanding your supply chain (and how you fit into others), ensuring that third parties are appropriately incorporated into response and recovery planning. It’s not like these ideas are new, but there were often other, higher priority items that needed to be addressed.
Now, however, these areas are going to get more attention. As you look to address these issues in your own organizations, I would offer the following pieces of general advice:
First Things First. This process must start with an understanding of your business, and then the impacts of third-party issues around Confidentiality, Integrity, and Availability.
Bite Sized Chunks. Use criticality (likelihood x impact) as a way to gauge who your critical third parties should be for this exercise.
Reasonable Requests. You can add contractual obligations all day long, but the truth is that most vendors will sign whatever they need to in order to close a deal. You can do audits, too - but what of your findings? Are you going to drive remediation in their organization? Pay for it? Run it? Unlikely. Instead, focus on things that are reasonable for your vendors - including notification periods if an incident does occur. The rest of the risk mitigation steps need to be on your side - whether that’s building resilient processes, sourcing alternative vendors, or ensuring that a critical process utilizes multiple vendors to avoid a single point of failure.
It can be difficult and frustrating to try to manage the interests of your vendors, partners, and suppliers with your own cybersecurity goals and requirements. Instead, focus on the risks, their impact to your organization, and managing them down to a level that’s ultimately acceptable to the business. This isn’t a decisions that’s going to be made by the security team alone - in fact, you’re likely not going to make any decisions, but rather present the options, help weigh and interpret the risk and implications, and then put the decision into play.
Fundraising
From a fundraising perspective, another relatively light week, with only $7.8B in newly committed capital, following another light week last week - coming in a billion light at $6.8B. Typical summer slump, perhaps. I’d expect the trend to continue through the month and things to pick up after Labor Day. Cyclical, indeed.
The Financial Times notes that the big players - Ares, Apollo, Blackstone, and KKR - are poised to deploy $160B to increase buyout-linked investments.
You can find links to all the articles we covered below, find back issues of these videos and the written transcripts at intentionalcyber.com, and we’ll see you next week for another edition of the Intentional Brief.
Links
https://www.ft.com/content/a2c22d6d-aa52-47d5-8415-542027ee33e5