May 22, 2019 By Jasmine Henry 3 min read

Third-party risk management is an issue that keeps many chief information security officers (CISOs) and other security leaders awake at night. Third-party risk has a lot more in common with phishing than advanced persistent threats (APTs) or zero-day attacks; it’s a known issue, but there’s a huge gap between awareness and risk at the majority of organizations. There’s no shortage of reasons to get this one right, including mounting compliance pressures and the tenuous state of customer trust.

Fifty-six percent of organizations attribute security issues involving data loss to vendors or other third parties, according to a 2018 study from Opus and Ponemon Institute. While consumer awareness of data privacy issues has increased, your customers aren’t about to distinguish between your vendors and your internally managed security controls if their records are stolen or lost.

Just 35 percent of organizations rate their third-party risk management program as highly effective, and just 34 percent have a comprehensive inventory of all their vendors. Few would make the argument that the industry has a handle on third-party risk, which begs a discussion of why we’re facing this crisis in the first place.

Why Is Third-Party Risk Management Lagging?

For many organizations, poor risk management is the result of ineffective processes and a lack of resources. A recent Venminder study found that 77 percent of organizations have five or fewer employees dedicated to vendor risk management in any capacity. In addition, 54 percent of organizations spend less than $5,000 each year on vendor risk management, even though most agree that more effective practices would deliver a positive return on investment.

For some companies, the roadblock may be low rates of cultural awareness and exposure. The Ponemon study found that less than one-third of organizations regularly report to the board on a consistent basis about the state of third-party cyber risk practices. When one also considers the industry’s long-standing reliance on vendor questionnaires as a primary method of tracking third-party risk, it becomes clear that the board may have little insight into the state of third-party risk in many cases. Visibility is the main barrier.

Rethink Your Questionnaire

It’s time for the industry to move past its dependence on vendor questionnaires to assess cybersecurity risk. While self-reported data has a place within a risk management framework, there’s clear evidence that organizations need to reassess the fullness and accuracy of the information they are receiving.

At the very least, companies should examine and update existing questionnaire forms and edit them for length to remove extraneous questions that could diminish the chances of a vendor response. According to RiskRecon, each additional security assessment question can cost anywhere from $11.62 to $34, depending on the length of the form.

As Kelly White, founder and CEO of RiskRecon, wrote in Dark Reading, “Questionnaires are generic, but your vendors aren’t.” Generic questionnaires will result in a shallow rating of risk that provides little insight into how an internet of things (IoT) vendor’s data handling practices actually affect your organization compared to an HR partner, for instance. “Use the questionnaire to target the data you’re most interested in,” wrote White. “Don’t waste time gathering information you already have.”

Emphasize Objective Measures

The most meaningful indicators of vendor risk come from third-party assessments of your vendors, such as ISO certifications or penetration testing results. Involving third-party ratings can significantly streamline the process of gathering objective evidence on vendor performance by testing protective measures like data encryption.

Open-source intelligence (OSINT) providers can also be leveraged as clear sources of insight into vendor cybersecurity risk. OSINT, penetration testing and cyberthreat intelligence reports can create the necessary baseline of understanding to examine how your partners’ practices compare to acceptable standards for data protection.

Map Data to Maintain Oversight

The dynamic state of data risk demands a more real-time approach than annual questionnaires. Data governance and methodologies for data mapping can fulfill regulatory requirements and allow organizations to maintain oversight of data in transit, data at rest and assets that are distributed across a vast third-party network. Using tools to identify critical assets and track compliance can streamline the process of maintaining dynamic data controls and help to enforce security policy, even for networks that incorporate many vendors and assets.

Risk Management Isn’t Static, So Take a Dynamic Approach

Risk and vendor governance are receiving increased attention, and it’s clear that it’s time for CISOs and chief risk officers (CROs) to get their arms around these issues. Third-party risk management isn’t simple, and organizations face numerous barriers on the road to smarter vendor risk governance, including concerns around processes, resources and organizational structures. While dedicating more time and hours to your questionnaires can mitigate some risks and enable better oversight, vendor risk is far too dynamic to be managed with an annual, paper-based approach that presents the same self-reporting measures to a large and diverse vendor network.

Vendor risk management is crucial to customer trust, compliance and other strategic priorities that affect the business as a whole. By taking a dynamic approach that integrates OSINT, third-party cyber risk intelligence reports, and an ecosystem of solutions for mapping data risks and controls in real time, organizations can overcome the visibility barrier into third-party risk.

More from Risk Management

Cost of a data breach: Cost savings with law enforcement involvement

3 min read - For those working in the information security and cybersecurity industries, the technical impacts of a data breach are generally understood. But for those outside of these technical functions, such as executives, operators and business support functions, “explaining” the real impact of a breach can be difficult. Therefore, explaining impacts in terms of quantifiable financial figures and other simple metrics creates a relatively level playing field for most stakeholders, including law enforcement.IBM’s 2024 Cost of a Data Breach (“CODB”) Report helps…

How Paris Olympic authorities battled cyberattacks, and won gold

3 min read - The Olympic Games Paris 2024 was by most accounts a highly successful Olympics. Some 10,000 athletes from 204 nations competed in 329 events over 16 days. But before and during the event, authorities battled Olympic-size cybersecurity threats coming from multiple directions.In preparation for expected attacks, authorities took several proactive measures to ensure the security of the event.Cyber vigilance programThe Paris 2024 Olympics implemented advanced threat intelligence, real-time threat monitoring and incident response expertise. This program aimed to prepare Olympic-facing organizations…

Protecting your data and environment from unknown external risks

3 min read - Cybersecurity professionals always keep their eye out for trends and patterns to stay one step ahead of cyber criminals. The IBM X-Force does the same when working with customers. Over the past few years, clients have often asked the team about threats outside their internal environment, such as data leakage, brand impersonation, stolen credentials and phishing sites. To help customers overcome these often unknown and unexpected risks that are often outside of their control, the team created Cyber Exposure Insights…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today