Shared Assessments LLC, the member-driven leader in third party risk assurance, today released, “A Unified Third Party Continuous Monitoring Cybersecurity Taxonomy,” a standard set of definitions for cyber events and monitoring surfaces. The Taxonomy is bolstered as a de facto industry standard by its definition and adoption by a “team of rivals” in the third party risk management (TPRM) solutions industry, including BitSight, Black Kite, Panorays, RiskRecon and SecurityScorecard. A launch webinar for the Taxonomy will be conducted on March 2, 2022, at 11 a.m. ET.
Shared Assessments led the creation of the Taxonomy to meet the industry-wide need for shared definitions for cyber events and monitoring surfaces across security ratings services (SRS), and outsourcer and third party organizations. The Taxonomy establishes consistent language, practices, and reporting structures for complex cyber events and vulnerabilities. This consistency helps remove the potential for perilous ambiguities that can result in miscommunications that adversely impact an organization’s control assessment efficiency and cybersecurity hygiene. Large organizations may have as many as 40,000 suppliers and establishing a common set of definitions is foundational to identifying and addressing potential risks.
“Over the last several years, we have observed increasingly severe consequences for firms that are not sufficiently focused on third party risk management. One critical example is the sharp escalation of increasingly aggressive ransomware attacks across multiple industries,” said Andrew Moyad, CEO, Shared Assessments.
To help address these risks, Shared Assessments has worked with many of its member firms to develop a unified cybersecurity taxonomy with the goal of enabling more companies to ease the broad adoption of continuous cyber monitoring services. Such services will help thwart these risks, and many of its member firms either offer or have adopted such continuous monitoring services.
“A consistent lingua franca among risk professionals has never been more important, and the rapidly evolving threat environment and escalating regulatory scrutiny make coalescing around a shared taxonomy all the more urgent. The broad and increasing adoption we’re seeing among major continuous monitoring cyber risk suppliers is a validation of our efforts, representing the latest example of our thought leadership and the added value Shared Assessments provides to our members and their industries,” stated Moyad.
Continuous monitoring is a risk management approach designed to allow an outsourcing organization to maintain an uninterrupted view of a third party’s (a vendor’s, a service provider’s) control posture, often in real time. The Taxonomy enables the organization to:
- Better understand how events monitored by SRS align with the outsourcer’s control requirements, and vice versa.
- Compare the services offered by several SRS providers.
- More easily communicate any issues identified by the SRS and develop mitigation approaches to correct them.
- Clearly communicate across the third party risk management ecosystem and help boards and leadership teams evaluate cyber threats to the business, and align appropriate resources.
The lack of a consistent taxonomy has, until now, posed problems for third parties and SRSs, as well as for outsourcer organizations.
Broad Support Among Cybersecurity and Third Party Risk Management Solutions Providers
Evan Tegethoff, Vice President of Solutions Consulting, BitSight, said: “More precise and transparent communications enabled by the Taxonomy answer to a constantly changing world with increasing threats and volume of vendors. As a common language and framework, the Taxonomy will advance continuous monitoring as a practice for the risk management field.”
“Continuous monitoring cybersecurity taxonomy brings together the collective understandings of cybersecurity monitoring solution providers, outsourcers and third party service providers. Parallel tools and views coalesce into a complementary source for risk quantification,” said Demi Ben-Ari, Co-founder & CTO, Panorays.
“The creation of a unified taxonomy of continuous monitoring cybersecurity terms represents a tremendous lift to the security ratings space in which SecurityScorecard is deeply invested, engaged and trusted by our customers,” according to Sam Kassoumeh, COO and Co-founder of SecurityScorecard. “We have been actively involved in this working group since 2019 because standards and frameworks play an important role in helping boards of directors and other senior executives deliver on their mandate of modernizing cybersecurity governance.”
Candan Bolukbas, CTO and Co-founder, Black Kite, said: “The Taxonomy solves an important problem. It is a good way for us to align checks and balances and enable buyers to make comparisons. We need to have a common ground to discuss market needs in order to reduce the customer learning curve.”
Overview: The Unified Third Party Continuous Monitoring Cybersecurity Taxonomy
Adopting the common language, definitions and structure that the Taxonomy offers will greatly benefit organizational cybersecurity and bring new precision to risk management in several ways including:
- Enhanced responses to risk mitigation: Clearer communication around risk terminology supports establishing monitoring techniques that can more precisely align risk monitoring indicators to an organization’s unique control requirements.
- Increased ability to share relevant information: Consistent language can help outsourcers leverage and communicate internally and externally about their continuous monitoring processes, issues identified, mitigation approaches taken and value to the business.
- Better understanding of cybersecurity monitoring services: Clearer insight into what is and isn’t being monitored when evaluating and purchasing a SRS solution will help organizations identify and compensate for potential gaps, and improve the alignment of practices with risks.
This shared language and understanding further benefits the risk and security communities in many ways. The common understanding that such a shared framework and definitions promote also provides a foundation for continuous innovation because it allows for easier identification of areas of risk that aren’t currently subject to effective continuous monitoring.
Among key definitions in The Unified Third Party Continuous Monitoring Cybersecurity Taxonomy are the following:
- Monitoring Surface: Cataloging of technical or organizational characteristics that help identify the presence of other events or states, such as domain names, Internet Service Providers, email service providers, and IP addresses, to help stakeholders better understand how SRS providers identify events. This category includes definitions for fingerprint values and attack surface variables such as those associated with assets that can be used to understand the scope, strengths and weaknesses of an organization’s business and technical environment. Surface variables can determine whether a control or vulnerability does or does not exist.
- Events: Actual cybersecurity vulnerabilities indicating a lack of a control that a monitored organization may be exposed to. Domains and categories include:
- Business Intelligence: the range of categories such as reputational exposure, business metric changes, security incidents and other events.
- Indicators of Compromise, including active and passive signals.
- Vulnerabilities: Defining the full constellation of areas of potential risk across the spectrum of cyber elements such as DNS, email, web applications, remote access, practices, network services, client applications, and network and cloud security.
The Continuous Monitoring Cybersecurity Taxonomy is the most recent result of a two-phase cooperative project led by the Shared Assessments’ Continuous Monitoring Working Group, which galvanized practitioners from over 55 member organizations, including major outsourcers, as well as continuous monitoring SRS solution providers.
Its previous work, “Creating a Unified Continuous Monitoring Cybersecurity Taxonomy: Gaining Ground by Saying What’s What,” was the first phase in that effort. Issued in 2019, it first brought together the unprecedented community of CM service providers and third party risk experts behind the Unified Third Party Continuous Monitoring Cybersecurity Taxonomy, and was the first such effort to establish standardized commonalities and terms to benefit the global risk management and cybersecurity communities.
“This invaluable resource provides all risk management stakeholders with a common language that increases the effectiveness of their organization’s control assessments, enables more agile continuous monitoring processes, enhances risk mitigation responses, and perhaps most importantly, improves their ability to share relevant information and better understand their cybersecurity monitoring needs, services and potential control weaknesses,” said Charlie Miller, Senior Advisor, Shared Assessments.