Third-party risk management is an issue that keeps many chief information security officers (CISOs) and other security leaders awake at night. Third-party risk has a lot more in common with phishing than advanced persistent threats (APTs) or zero-day attacks; it’s a known issue, but there’s a huge gap between awareness and risk at the majority of organizations. There’s no shortage of reasons to get this one right, including mounting compliance pressures and the tenuous state of customer trust.

Fifty-six percent of organizations attribute security issues involving data loss to vendors or other third parties, according to a 2018 study from Opus and Ponemon Institute. While consumer awareness of data privacy issues has increased, your customers aren’t about to distinguish between your vendors and your internally managed security controls if their records are stolen or lost.

Just 35 percent of organizations rate their third-party risk management program as highly effective, and just 34 percent have a comprehensive inventory of all their vendors. Few would make the argument that the industry has a handle on third-party risk, which begs a discussion of why we’re facing this crisis in the first place.

Why Is Third-Party Risk Management Lagging?

For many organizations, poor risk management is the result of ineffective processes and a lack of resources. A recent Venminder study found that 77 percent of organizations have five or fewer employees dedicated to vendor risk management in any capacity. In addition, 54 percent of organizations spend less than $5,000 each year on vendor risk management, even though most agree that more effective practices would deliver a positive return on investment.

For some companies, the roadblock may be low rates of cultural awareness and exposure. The Ponemon study found that less than one-third of organizations regularly report to the board on a consistent basis about the state of third-party cyber risk practices. When one also considers the industry’s long-standing reliance on vendor questionnaires as a primary method of tracking third-party risk, it becomes clear that the board may have little insight into the state of third-party risk in many cases. Visibility is the main barrier.

Rethink Your Questionnaire

It’s time for the industry to move past its dependence on vendor questionnaires to assess cybersecurity risk. While self-reported data has a place within a risk management framework, there’s clear evidence that organizations need to reassess the fullness and accuracy of the information they are receiving.

At the very least, companies should examine and update existing questionnaire forms and edit them for length to remove extraneous questions that could diminish the chances of a vendor response. According to RiskRecon, each additional security assessment question can cost anywhere from $11.62 to $34, depending on the length of the form.

As Kelly White, founder and CEO of RiskRecon, wrote in Dark Reading, “Questionnaires are generic, but your vendors aren’t.” Generic questionnaires will result in a shallow rating of risk that provides little insight into how an internet of things (IoT) vendor’s data handling practices actually affect your organization compared to an HR partner, for instance. “Use the questionnaire to target the data you’re most interested in,” wrote White. “Don’t waste time gathering information you already have.”

Emphasize Objective Measures

The most meaningful indicators of vendor risk come from third-party assessments of your vendors, such as ISO certifications or penetration testing results. Involving third-party ratings can significantly streamline the process of gathering objective evidence on vendor performance by testing protective measures like data encryption.

Open-source intelligence (OSINT) providers can also be leveraged as clear sources of insight into vendor cybersecurity risk. OSINT, penetration testing and cyberthreat intelligence reports can create the necessary baseline of understanding to examine how your partners’ practices compare to acceptable standards for data protection.

Map Data to Maintain Oversight

The dynamic state of data risk demands a more real-time approach than annual questionnaires. Data governance and methodologies for data mapping can fulfill regulatory requirements and allow organizations to maintain oversight of data in transit, data at rest and assets that are distributed across a vast third-party network. Using tools to identify critical assets and track compliance can streamline the process of maintaining dynamic data controls and help to enforce security policy, even for networks that incorporate many vendors and assets.

Risk Management Isn’t Static, So Take a Dynamic Approach

Risk and vendor governance are receiving increased attention, and it’s clear that it’s time for CISOs and chief risk officers (CROs) to get their arms around these issues. Third-party risk management isn’t simple, and organizations face numerous barriers on the road to smarter vendor risk governance, including concerns around processes, resources and organizational structures. While dedicating more time and hours to your questionnaires can mitigate some risks and enable better oversight, vendor risk is far too dynamic to be managed with an annual, paper-based approach that presents the same self-reporting measures to a large and diverse vendor network.

Vendor risk management is crucial to customer trust, compliance and other strategic priorities that affect the business as a whole. By taking a dynamic approach that integrates OSINT, third-party cyber risk intelligence reports, and an ecosystem of solutions for mapping data risks and controls in real time, organizations can overcome the visibility barrier into third-party risk.

More from Risk Management

Detecting Insider Threats: Leverage User Behavior Analytics

3 min read - Employees often play an unwitting role in many security incidents, from accidental data breaches to intentional malicious attacks. Unfortunately, most organizations don’t have the right protocols and processes to identify potential risks posed by their workforce. Based on a survey conducted by SANS Institute, 35% of respondents said they lack visibility into insider threats, while 30% said the inability to audit user access is a security blind spot in their organizations. In addition, the 2023 X-Force Threat Intelligence Index reported that…

3 min read

Increasingly Sophisticated Cyberattacks Target Healthcare

4 min read - It’s rare to see 100% agreement on a survey. But Porter Research found consensus from business leaders across the provider, payer and pharmaceutical/life sciences industries. Every single person agreed that “growing hacker sophistication” is the primary driver behind the increase in ransomware attacks. In response to the findings, the American Hospital Association told Porter Research, “Not only are cyber criminals more organized than they were in the past, but they are often more skilled and sophisticated.” Although not unanimous, the…

4 min read

Machine Learning Applications in the Cybersecurity Space

3 min read - Machine learning is one of the hottest areas in data science. This subset of artificial intelligence allows a system to learn from data and make accurate predictions, identify anomalies or make recommendations using different techniques. Machine learning techniques extract information from vast amounts of data and transform it into valuable business knowledge. While most industries use these techniques, they are especially prominent in the finance, marketing, healthcare, retail and cybersecurity sectors. Machine learning can also address new cyber threats. There…

3 min read

Now Social Engineering Attackers Have AI. Do You? 

4 min read - Everybody in tech is talking about ChatGPT, the AI-based chatbot from Open AI that writes convincing prose and usable code. The trouble is malicious cyber attackers can use generative AI tools like ChatGPT to craft convincing prose and usable code just like everybody else. How does this powerful new category of tools affect the ability of criminals to launch cyberattacks, including social engineering attacks? When Every Social Engineering Attack Uses Perfect English ChatGPT is a public tool based on a…

4 min read