‘No-one Can Keep Up With 200 Critical Vulnerabilities a Week’

Why Trust Techopedia

Businesses increasingly rely on third-party vendors, but something you won’t find on the marketing banners is how this introduces new cybersecurity vulnerabilities.

Traditional security ratings services (SRS) identify these risks — but the customer bears the burden of fixing them, which can create alert fatigue.

Former Morgan Stanley COO and current BlueVoyant CEO Jim Rosenthal challenges this approach. In an interview with Techopedia, he argues for a more proactive approach to vendor risk management (VRM).

How do you prioritize genuine threats versus not being overwhelmed or indifferent to a ping every 5 minutes? That’s today’s topic.

About Jim Rosenthal

Jim Rosenthal_ CEO_ BlueVoyant

Rosenthal was Morgan Stanley’s Chief Operating Officer until 2017, when he co-founded BlueVoyant, a cyber defense platform, where he serves as CEO.

At Morgan Stanley, he was responsible to the CEO and the Board of Directors for cybersecurity, and was the recipient of the 2017 Critical Infrastructure Protection Award from the Financial Services Information Sharing and Analysis Center.

Advertisements

He is the co-chairman of Sheltered Harbor, a consortium of major banks, securities firms, industry associations, and technology service providers that aims to preserve systemic confidence in the event of a cyberattack.

He is the past Chairman of the Securities Industry and Financial Markets Association and chaired its Cybersecurity Committee from 2014 to 2017.

Prior to Morgan Stanley, Jim was a senior partner at McKinsey & Company and then then CFO of Tishman Speyer Properties.

Key Takeaways

  • Businesses increasingly rely on third-party vendors, introducing new cybersecurity vulnerabilities.
  • Traditional security ratings services (SRS) alert customers to risks, but fixing them can cause alert fatigue.
  • Jim Rosenthal calls for a proactive approach to vendor risk management (VRM) over traditional methods.
  • AI and machine learning can transform third-party risk management by rapidly assessing vulnerabilities.
  • A well-defended vendor ecosystem enhances operational efficiency and reduces the risk of disruptions.

Redefining Cyber Risk: The Power of Remediation

Q: How is a remediation-focused approach to third-party risk management changing the cybersecurity climate, and what are its long-term implications for businesses?

A: Third-party vulnerability is a critical attack vector, particularly against well-defended companies. Cyber attackers often bypass good defenses by targeting suppliers and moving upstream.

Criminals scan externally for critical vulnerabilities that are easily compromised, enter the third party, and then go upstream to the client. With artificial intelligence and machine learning, bad actors now have the capability to do this at scale, increasing successful vendor attacks on clients.

The goal is simple: if there’s an external-facing critical vulnerability, the client needs to cure it before an adversary discovers and exploits it. This creates a race when a critical vulnerability appears.

On average, 2-4 new critical Zero Day software vulnerabilities emerge monthly, affecting existing software installations. In a supply chain with thousands of suppliers, it’s highly likely that each of these critical zero-days will affect some suppliers.

Both adversaries and defensive firms scan for these vulnerabilities, and the race is usually about identifying and fixing them before they can be exploited.

Aligning Security with Business Goals

Q: In what ways does prioritizing remediation over traditional security ratings help organizations better align their cybersecurity efforts with their overall business objectives?

A: Prioritizing remediation over traditional security ratings helps businesses address critical cybersecurity vulnerabilities more effectively.

Studies show that for a typical new zero-day critical vulnerability affecting a group of 100 or 1000 vendors, less than 10% will patch within 10 days without assistance, and only about a third will patch within 90 days.

This is often because the impacted vendor doesn’t know about the zero-day vulnerability or where it is in their software.

With remediation assistance, however, the effectiveness drastically improves. Organizations can reach out to affected vendors the same day a critical vulnerability is identified, providing exact details about the vulnerability, its location in their system, and the applicable patch or reconfiguration needed.

This approach enables 50% of vendors to remediate within 10 days and 100% within 90 days.

The significant improvement isn’t because third parties don’t want good cybersecurity but because it’s challenging to keep up with the 200 critical vulnerabilities emerging every week, especially with small cybersecurity staff and incomplete network knowledge.

How AI and Machine Learning are Transforming Risk Management

Q: How is AI transforming third-party risk management? Has it improved the accuracy and speed with which you identify and mitigate potential vulnerabilities in supply chains?

A: AI and machine learning now help us speed up the process of assessing new vulnerabilities. When a new zero-day vulnerability appears, it’s crucial to quickly determine its severity — whether it’s critical (8 to 10 on a 10-point scale) or minor and unlikely to lead to compromise.

Hundreds of new zero-days emerge every week, and artificial intelligence and machine learning are used to rapidly assess the severity of each one within an hour or two after it first appears.

This AI-driven approach allows for the evaluation of a couple hundred vulnerabilities every week, typically identifying one critical vulnerability in that time. If this assessment had to be done by humans, it would take weeks.

Balancing Comprehensive Risk Management with Vendor Ecosystem Efficiency

Q: How can companies balance the need for comprehensive third-party risk management with the operational necessity of maintaining a diverse and efficient vendor ecosystem?

A: Balancing third-party risk management with operational needs is a complex challenge. However, a two-part approach can help.

First, on the operational side, vendors typically prioritize their own internal defenses. When faced with limited cybersecurity resources, they naturally choose to protect their own internal network before focusing on external vendors. This creates an operational challenge in discovering and managing vendor risks.

Second, once a vendor ecosystem is established, companies can maintain its vibrancy while ensuring cybersecurity by employing external monitoring and periodic internal cyber maturity assessments using questionnaires and/or audits.

A cyber-protected vendor ecosystem is actually more vibrant than an unprotected one. Without proper protection, the chances of a vendor disruption affecting your operations are relatively high.

With a better-defended vendor ecosystem, the likelihood of your operations continuing smoothly is as good as those of the vendor.

Advertisements

Related Reading

Related Terms

Advertisements
Franklin Okeke
Technology Journalist
Franklin Okeke
Technology Journalist

Franklin Okeke is an author and tech journalist with over seven years of IT experience. Coming from a software development background, his writing spans cybersecurity, AI, cloud computing, IoT, and software development. In addition to pursuing a Master's degree in Cybersecurity & Human Factors from Bournemouth University, Franklin has two published books and four academic papers to his name. His writing has been featured in tech publications such as TechRepublic, The Register, Computing, TechInformed, Moonlock and other top technology publications. When he is not reading or writing, Franklin trains at a boxing gym and plays the piano.

',a='';if(l){t=t.replace('data-lazy-','');t=t.replace('loading="lazy"','');t=t.replace(/