TPCRM
Aug 19, 2025

How continuous monitoring for third-party risk management helps your incident response

Security Bsides San Francisco hosted a talk from Kasturi Puramwar on how to prepare for and respond to third-party security incidents. She made many insightful and practical recommendations, and you can watch her talk in full since the video was made public on YouTube by BSidesSF.

The foundations laid out in the talk do raise a question: how different approaches to Third-Party Cyber Risk Management (TPCRM) impact incident response scenarios?

With this question fresh in mind, we want to explore how continuous inside-out monitoring can help businesses respond to incidents that originated at their supply chain or that have an impact on their third parties. Before we do that, however, we need to review the basics.

Preparing for incidents

Trying to improvise a response to an incident while the event is ongoing will make things much more difficult. Planning is half the battle, if not more. This involves making plans for things like:

  • Reporting: A channel should be in place to allow security teams to receive information on potential incidents from employees, threat intelligence systems, or even outside parties in some cases.
  • Roles and responsibilities: If team members don't know what their role is, every action is going to be delayed. Time is precious, so this alone may be the difference between a minimal interruption and a major disruption. It's also critical to know who has the authority to make decisions in each scenario, and what kind of issues warrant immediate escalation.
  • Communication: Many incidents will involve employees, clients, companies in your supply chain, or even the media. Templates and processes should aim to improve the clarity of your messaging or the availability of resources to support it.
  • Recovery: Some incidents can be resolved with predetermined measures, such as rebuilding a system, while others require forensic analysis and additional steps to ensure that attackers are no longer present. Certain incidents will have a post-recovery phase, often due to legal reasons, but also to improve existing processes based on what was learned from the incident.

These are just the basics, but when we plan comprehensively for disasters, we end up with incident response playbooks appropriate to each business and event. Many companies have already built such processes, but their scope is usually limited to internal incidents.

As you factor in third-party threats and risks, you'll feel the need to adjust many aspects of your plans. For example, you may consider how a third party could reliably report incidents, or  which people in your organization  can make decisions about third-party integrations. The number of stakeholders in supply chain incidents tends to be higher, so more people may have to be involved to ensure that decision makers are well-informed during incidents.

In supply chain incidents, containment controls are essential. Implementing tools to isolate your network from a third party is just as important as knowing when such controls can be employed and who can decide to use them.

It's not much different if you are the third party. When is it reasonable for you to cut off service to one of your clients, and who can make that call? Do you have permission to do it based on your judgment, or should you consult with your clients first? These questions require you to have strategies in place to communicate effectively and quickly with your clients, and perhaps their clients as well. There have already been data leak incidents in which third parties reached out directly to their clients' customers, especially in the healthcare sector.

As explained by Puramwar in her talk, many of these decisions can and should be transformed into contractual obligations to increase the chances that everything works as expected. We think it's also important to consider how such obligations impact third-party risk, too.

For instance, consider how NDAs affect a third party's (and their third parties') willingness and capacity to report incidents. Normally, you'd be able to communicate with everyone who is working on a project, but legal arrangements might prohibit third parties from doing so. If your organization believes that outsourced staff should be able to report incidents (of all kinds), this could be a very tough problem to solve. Otherwise, it's best to seek other means that can improve visibility into the ecosystem and make up for reporting deficiencies.

Continuous inside-out monitoring can help. Attackers usually tamper with two-factor authentication or other security controls, and the monitoring can flag this type of suspicious activity for investigation. This means that the data gathered by the monitoring tool can spot incidents, too, complementing the threat intelligence tools suggested by Puramwar.

A TPCRM approach that improves visibility, communication, and transparency

Transparency, visibility, and cooperation are major challenges in third-party incidents. No matter how many legal obligations and agreements are in place, a third party can still be uncooperative during real incidents. This behavior isn't necessarily intentional — incidents tend to be chaotic, and companies caught unprepared can easily go into panic mode.

When businesses employ continuous inside-out monitoring as part of their TPCRM program, many of these challenges become routine. The process of employing automation to probe a third-party and ensure that security controls are working as expected naturally leads to the discovery of many issues that will be fixed by IT or cybersecurity teams.

That's why continuous inside-out monitoring works best when teams from both organizations cooperate. They must communicate clearly regarding the severity of each issue and the expectations involved. They can also share information about potential fixes and their drawbacks. 

Because this communication channel is always open, there is a lot less friction when incidents have to be investigated and responded to. If a third party finds it difficult to act and fix the issues identified by the monitoring, that isn't a problem with the monitoring. Instead, it's revealing a shortcoming in that third party's cybersecurity posture that would only become apparent during an incident.

On the other hand, a third party that can continually improve through this process will likely build a healthier culture for cybersecurity, increasing its readiness to respond to incidents.

Incident response is almost an art at times. While it's challenging to predict and plan for everything, resiliency is about building a framework that is adaptable enough to work in any kind of situation. Continuous inside-out monitoring brings third parties closer with constant communication and cooperation, leading to significant improvements in this process.

 

 

Share
Latest Posts
Tenchi’s Essence: Who We Are and How We Grow
Read more
Best API Practices for Integration with Security Tools
Read more
How geopolitics and trade policies impact third-party risks (and what businesses can do about it)
Read more