May 22, 2019 By Jasmine Henry 3 min read

Third-party risk management is an issue that keeps many chief information security officers (CISOs) and other security leaders awake at night. Third-party risk has a lot more in common with phishing than advanced persistent threats (APTs) or zero-day attacks; it’s a known issue, but there’s a huge gap between awareness and risk at the majority of organizations. There’s no shortage of reasons to get this one right, including mounting compliance pressures and the tenuous state of customer trust.

Fifty-six percent of organizations attribute security issues involving data loss to vendors or other third parties, according to a 2018 study from Opus and Ponemon Institute. While consumer awareness of data privacy issues has increased, your customers aren’t about to distinguish between your vendors and your internally managed security controls if their records are stolen or lost.

Just 35 percent of organizations rate their third-party risk management program as highly effective, and just 34 percent have a comprehensive inventory of all their vendors. Few would make the argument that the industry has a handle on third-party risk, which begs a discussion of why we’re facing this crisis in the first place.

Why Is Third-Party Risk Management Lagging?

For many organizations, poor risk management is the result of ineffective processes and a lack of resources. A recent Venminder study found that 77 percent of organizations have five or fewer employees dedicated to vendor risk management in any capacity. In addition, 54 percent of organizations spend less than $5,000 each year on vendor risk management, even though most agree that more effective practices would deliver a positive return on investment.

For some companies, the roadblock may be low rates of cultural awareness and exposure. The Ponemon study found that less than one-third of organizations regularly report to the board on a consistent basis about the state of third-party cyber risk practices. When one also considers the industry’s long-standing reliance on vendor questionnaires as a primary method of tracking third-party risk, it becomes clear that the board may have little insight into the state of third-party risk in many cases. Visibility is the main barrier.

Rethink Your Questionnaire

It’s time for the industry to move past its dependence on vendor questionnaires to assess cybersecurity risk. While self-reported data has a place within a risk management framework, there’s clear evidence that organizations need to reassess the fullness and accuracy of the information they are receiving.

At the very least, companies should examine and update existing questionnaire forms and edit them for length to remove extraneous questions that could diminish the chances of a vendor response. According to RiskRecon, each additional security assessment question can cost anywhere from $11.62 to $34, depending on the length of the form.

As Kelly White, founder and CEO of RiskRecon, wrote in Dark Reading, “Questionnaires are generic, but your vendors aren’t.” Generic questionnaires will result in a shallow rating of risk that provides little insight into how an internet of things (IoT) vendor’s data handling practices actually affect your organization compared to an HR partner, for instance. “Use the questionnaire to target the data you’re most interested in,” wrote White. “Don’t waste time gathering information you already have.”

Emphasize Objective Measures

The most meaningful indicators of vendor risk come from third-party assessments of your vendors, such as ISO certifications or penetration testing results. Involving third-party ratings can significantly streamline the process of gathering objective evidence on vendor performance by testing protective measures like data encryption.

Open-source intelligence (OSINT) providers can also be leveraged as clear sources of insight into vendor cybersecurity risk. OSINT, penetration testing and cyberthreat intelligence reports can create the necessary baseline of understanding to examine how your partners’ practices compare to acceptable standards for data protection.

Map Data to Maintain Oversight

The dynamic state of data risk demands a more real-time approach than annual questionnaires. Data governance and methodologies for data mapping can fulfill regulatory requirements and allow organizations to maintain oversight of data in transit, data at rest and assets that are distributed across a vast third-party network. Using tools to identify critical assets and track compliance can streamline the process of maintaining dynamic data controls and help to enforce security policy, even for networks that incorporate many vendors and assets.

Risk Management Isn’t Static, So Take a Dynamic Approach

Risk and vendor governance are receiving increased attention, and it’s clear that it’s time for CISOs and chief risk officers (CROs) to get their arms around these issues. Third-party risk management isn’t simple, and organizations face numerous barriers on the road to smarter vendor risk governance, including concerns around processes, resources and organizational structures. While dedicating more time and hours to your questionnaires can mitigate some risks and enable better oversight, vendor risk is far too dynamic to be managed with an annual, paper-based approach that presents the same self-reporting measures to a large and diverse vendor network.

Vendor risk management is crucial to customer trust, compliance and other strategic priorities that affect the business as a whole. By taking a dynamic approach that integrates OSINT, third-party cyber risk intelligence reports, and an ecosystem of solutions for mapping data risks and controls in real time, organizations can overcome the visibility barrier into third-party risk.

More from Risk Management

What should Security Operations teams take away from the IBM X-Force 2024 Threat Intelligence Index?

3 min read - The IBM X-Force 2024 Threat Intelligence Index has been released. The headlines are in and among them are the fact that a global identity crisis is emerging. X-Force noted a 71% increase year-to-year in attacks using valid credentials.In this blog post, I’ll explore three cybersecurity recommendations from the Threat Intelligence Index, and define a checklist your Security Operations Center (SOC) should consider as you help your organization manage identity risk.The report identified six action items:Remove identity silosReduce the risk of…

Obtaining security clearance: Hurdles and requirements

3 min read - As security moves closer to the top of the operational priority list for private and public organizations, needing to obtain a security clearance for jobs is more commonplace. Security clearance is a prerequisite for a wide range of roles, especially those related to national security and defense.Obtaining that clearance, however, is far from simple. The process often involves scrutinizing one’s background, financial history and even personal character. Let’s briefly explore some of the hurdles, expectations and requirements of obtaining a…

Ransomware payouts hit all-time high, but that’s not the whole story

3 min read - Ransomware payments hit an all-time high of $1.1 billion in 2023, following a steep drop in total payouts in 2022. Some factors that may have contributed to the decline in 2022 were the Ukraine conflict, fewer victims paying ransoms and cyber group takedowns by legal authorities.In 2023, however, ransomware payouts came roaring back to set a new all-time record. During 2023, nefarious actors targeted high-profile institutions and critical infrastructure, including hospitals, schools and government agencies.Still, it’s not all roses for…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today