Third-party risk management is an issue that keeps many chief information security officers (CISOs) and other security leaders awake at night. Third-party risk has a lot more in common with phishing than advanced persistent threats (APTs) or zero-day attacks; it’s a known issue, but there’s a huge gap between awareness and risk at the majority of organizations. There’s no shortage of reasons to get this one right, including mounting compliance pressures and the tenuous state of customer trust.

Fifty-six percent of organizations attribute security issues involving data loss to vendors or other third parties, according to a 2018 study from Opus and Ponemon Institute. While consumer awareness of data privacy issues has increased, your customers aren’t about to distinguish between your vendors and your internally managed security controls if their records are stolen or lost.

Just 35 percent of organizations rate their third-party risk management program as highly effective, and just 34 percent have a comprehensive inventory of all their vendors. Few would make the argument that the industry has a handle on third-party risk, which begs a discussion of why we’re facing this crisis in the first place.

Why Is Third-Party Risk Management Lagging?

For many organizations, poor risk management is the result of ineffective processes and a lack of resources. A recent Venminder study found that 77 percent of organizations have five or fewer employees dedicated to vendor risk management in any capacity. In addition, 54 percent of organizations spend less than $5,000 each year on vendor risk management, even though most agree that more effective practices would deliver a positive return on investment.

For some companies, the roadblock may be low rates of cultural awareness and exposure. The Ponemon study found that less than one-third of organizations regularly report to the board on a consistent basis about the state of third-party cyber risk practices. When one also considers the industry’s long-standing reliance on vendor questionnaires as a primary method of tracking third-party risk, it becomes clear that the board may have little insight into the state of third-party risk in many cases. Visibility is the main barrier.

Rethink Your Questionnaire

It’s time for the industry to move past its dependence on vendor questionnaires to assess cybersecurity risk. While self-reported data has a place within a risk management framework, there’s clear evidence that organizations need to reassess the fullness and accuracy of the information they are receiving.

At the very least, companies should examine and update existing questionnaire forms and edit them for length to remove extraneous questions that could diminish the chances of a vendor response. According to RiskRecon, each additional security assessment question can cost anywhere from $11.62 to $34, depending on the length of the form.

As Kelly White, founder and CEO of RiskRecon, wrote in Dark Reading, “Questionnaires are generic, but your vendors aren’t.” Generic questionnaires will result in a shallow rating of risk that provides little insight into how an internet of things (IoT) vendor’s data handling practices actually affect your organization compared to an HR partner, for instance. “Use the questionnaire to target the data you’re most interested in,” wrote White. “Don’t waste time gathering information you already have.”

Emphasize Objective Measures

The most meaningful indicators of vendor risk come from third-party assessments of your vendors, such as ISO certifications or penetration testing results. Involving third-party ratings can significantly streamline the process of gathering objective evidence on vendor performance by testing protective measures like data encryption.

Open-source intelligence (OSINT) providers can also be leveraged as clear sources of insight into vendor cybersecurity risk. OSINT, penetration testing and cyberthreat intelligence reports can create the necessary baseline of understanding to examine how your partners’ practices compare to acceptable standards for data protection.

Map Data to Maintain Oversight

The dynamic state of data risk demands a more real-time approach than annual questionnaires. Data governance and methodologies for data mapping can fulfill regulatory requirements and allow organizations to maintain oversight of data in transit, data at rest and assets that are distributed across a vast third-party network. Using tools to identify critical assets and track compliance can streamline the process of maintaining dynamic data controls and help to enforce security policy, even for networks that incorporate many vendors and assets.

Risk Management Isn’t Static, So Take a Dynamic Approach

Risk and vendor governance are receiving increased attention, and it’s clear that it’s time for CISOs and chief risk officers (CROs) to get their arms around these issues. Third-party risk management isn’t simple, and organizations face numerous barriers on the road to smarter vendor risk governance, including concerns around processes, resources and organizational structures. While dedicating more time and hours to your questionnaires can mitigate some risks and enable better oversight, vendor risk is far too dynamic to be managed with an annual, paper-based approach that presents the same self-reporting measures to a large and diverse vendor network.

Vendor risk management is crucial to customer trust, compliance and other strategic priorities that affect the business as a whole. By taking a dynamic approach that integrates OSINT, third-party cyber risk intelligence reports, and an ecosystem of solutions for mapping data risks and controls in real time, organizations can overcome the visibility barrier into third-party risk.

More from Risk Management

Third-Party App Stores Could Be a Red Flag for iOS Security

Even Apple can’t escape change forever. The famously restrictive company will allow third-party app stores for iOS devices, along with allowing users to “sideload” software directly. Spurring the move is the European Union’s (EU) Digital Markets Act (DMA), which looks to ensure open markets by reducing the ability of digital “gatekeepers” to restrict content on devices. While this is good news for app creators and end-users, there is a potential red flag: security. Here’s what the compliance-driven change means for…

Defensive Driving: The Need for EV Cybersecurity Roadmaps

As the U.S. looks to bolster electric vehicle (EV) adoption, a new challenge is on the horizon: cybersecurity. Given the interconnected nature of these vehicles and their reliance on local power grids, they’re not just an alternative option for getting from Point A to Point B. They also offer a new path for network compromise that could put drivers, companies and infrastructure at risk. To help address this issue, the Office of the National Cyber Director (ONCD) recently hosted a…

Too Much Caffeine? Phishing-as-a-Service Makes Us Jittery

Recently, investigators at Mandiant discovered a new software platform with an intuitive interface. The service has tools to orchestrate and automate core campaign elements. Some of the platform’s features enable self-service customization and campaign tracking. Sounds like a typical Software-as-a-Service (SaaS) operation, right? Well, this time, it’s Caffeine, the latest Phishing-as-a-Service (PhaaS) platform. A basic subscription costs $250 a month; all you need is an email to sign up. How Caffeine PhaaS is Different PhaaS vendors advertise and sell their…

Everyone Wants to Build a Cyber Range: Should You?

In the last few years, IBM X-Force has seen an unprecedented increase in requests to build cyber ranges. By cyber ranges, we mean facilities or online spaces that enable team training and exercises of cyberattack responses. Companies understand the need to drill their plans based on real-world conditions and using real tools, attacks and procedures. What’s driving this increased demand? The increase in remote and hybrid work models emerging from the COVID-19 pandemic has elevated the priority to collaborate and…