Businesses in all sectors are adopting new technologies and operating models to digitize processes, leverage more business partners, and widen their ecosystems of suppliers, software-as-a-service (SaaS) providers and cloud service providers (CSPs). There is also a greater number of interconnections between businesses, more interdependency between companies and their vendors, and heightened reliance on technology and data to run their operations. Sensitive corporate data now resides in multiple systems, across multiple types of platforms and devices, and may be accessed or hosted by a variety of third-party vendors.

At the same time, cybercriminal activities are turning into increasingly sophisticated, self-sustaining industries that can leverage outsourcing, adopt advanced technologies and work across national boundaries. At times, these criminal efforts are even state-sponsored. As a result, firms need to expand their enterprise risk management frameworks to encompass a whole-ecosystem view of risk. New technologies must be deployed to identify, measure and manage new risks. These protections should leverage the cloud, artificial intelligence (AI), and advanced analytics to strengthen and extend traditional risk and compliance processes.

To that end, risk management is evolving, and consultants and businesses are racing to catch up and react to new threats. Many companies are seeking support from cybersecurity risk rating companies to provide insights or data on their vendors. Still, this approach has some drawbacks and limitations.

The Challenges of Third-Party Risk Management

More and more businesses and regulators are recognizing that third-party relationships are becoming some of the most significant and challenging risks to manage properly. Working with third parties can expose you to new risks depending on their ability to manage operational and security vulnerabilities. Third-party security breaches and operational performance failures can disrupt your critical business processes, damage your brand and reputation, lead to regulatory compliance penalties, or damage your business operations. Successfully managing and mitigating emerging risks is one of the biggest challenges a company can face.

Businesses that depend primarily on cyber risk rating solutions to provide data security snapshots often find that the generated reports are limited in breadth and may not include service-specific information about their vulnerabilities and weaknesses. For example, rating companies may provide a very broad score based on a generic scan of public source data alone. Their reports may also include false positives, leaving organizations to sift through the findings and determine the true risks that could affect their business — which tends to involve more time, funds and energy.

While leveraging risk rating services may be useful as an initial indicator, most businesses today require risk assessments that are specifically tailored to the types of services they provide.

Start With the Basics

Technologies such as the cloud, the internet of things (IoT), operational technology (OT), advanced analytics, blockchain, mobile devices and AI can increase productivity and efficiency and reduce costs and operational timelines. However, they may also create new risks for a business, as they can make your vendor relationships, business processes and data protection needs more complex.

Businesses in general (and financial institutions in particular) are finally viewing vendor relationships as a risk that must be managed, rather than a simple procurement process. Traditional metrics for evaluating vendors’ performance and overall value become less relevant when an organization opts to move from a purely operational perspective to a more risk-based view.

Yet companies are failing to uphold basic risk management practices. Many are unable to take a complete inventory of their partners’ systems due to limited access to business data. They also might not fully understand which processes are critical to their business or have access to the critical technology platforms and systems needed to make a proper assessment.

Working with companies across many industries, we constantly see organizations fail to understand and address the security and operational risks involved in third-party relationships. Vendor management needs to be viewed as an end-to-end process that requires risk identification, risk mitigation and active monitoring throughout the entire vendor relationship lifecycle.

Companies need to keep up with changing technology and develop controls to sustain good risk management practices. The natures of these controls can differ substantially if one compares an operating model where the technology is operated on-premises to one where key processes and functions are outsourced or delivered by a SaaS provider. If the necessary data and workflows exist in the cloud, this can complicate matters further.

Companies need to continue to refine their governance, controls and risk management practices and adapt them to a world that is highly interconnected, which can lead to a decentralized operating model. Their staff and compliance organizations must adjust to appreciate a multiplayer risk environment where controls, protection and detection may rest in the hands of others.

The chart below illustrates the elements of an overall risk management framework that addresses the whole ecosystem of providers as well as internal functions.


Emerging Tools for New Risks

Once you have covered the basics, you can start to look at advanced capabilities offered across the industry. There is a growing body of best practices and technologies to assist senior leaders and their risk managers in efforts to identify, manage, mitigate and reduce third-party risk in these times of change. Leading companies are adopting an “extended risk universe” that incorporates risk metrics, quantification capabilities, third-party risk assessments, monitoring and controls, and the use of advanced analytics to understand risk scenarios and key risk identifiers.

The clients I work with are leveraging proactive risk management practices that involve the use of agile techniques for identifying new risks, regular testing and rehearsal planning, top-down cultural changes, and on-demand, cloud-based security services. These leading organizations are in alignment across their C-suite executives regarding their top risks and risk trends. Such accordance can help to drive more focused investments, skills training, systemic remediation efforts and effective planning.

Our approach recommends that clients adopt both a top-down approach to managing third-party risk and a proactive, grassroots one. Leading organizations are utilizing automation to centralize and analyze risk data. They are using advanced analytics to identify correlations and relationships and to gain insights across discrete data sets. Key resources in their endeavors include internal audit results, corrective action plans, and assessments around operational, IT and compliance risks.

Critically, they are using a data-driven approach to identify, assess and monitor risks, thus ensuring that their information is based on the facts rather than on perceptions, hypotheses, or general observations about technologies and providers. These companies tend to deliver greater results than the simplistic snapshots in time that are commonly provided by other rating companies. Best-in-class businesses adopt a holistic and continuous monitoring approach that includes the consideration of business issues, reputational risk, financial risk, potential supply chain disruptions, and security and data breaches.

These businesses understand the need to focus and tailor their third-party risk efforts on the most significant and impactful risks based on services provided and data access — and these efforts are paying dividends.

Adopt a Strategic Approach to Managing Third-Party Risk

Business operations are accelerating and threat actors are leveraging some of the most sophisticated technologies. Data and transactions are being hosted, managed and secured by third parties, and operational technologies and IoT devices are more interconnected than ever. The key takeaway regarding this new environment is that risk management practices require an agile, integrated and holistic approach to identify, protect and prevent risk events from occurring.

Businesses need to adopt a strategic approach to managing third-party risks, one that provides an integrated view of the vendor relationship process and incorporates risk management throughout that process. It should include considerations for onboarding and procurement, legal and contracts, information security, data access, active monitoring, and operational management. Organizations need to assess vendors of all types in the context of the role they play and the relationship that is in place; risk management must adapt to the extended universe environment.

Boards need to be better equipped and practiced in the art of risk management. Every company should ask, “What are our top 10 enterprise risks?” and ensure alignment with the C-suite in their response. Every company should be able to gather and analyze their risk data to identify and monitor systemic risks, both new and emerging. Finally, every company must have a control framework that is both comprehensive enough to manage their current risks and flexible enough to address future risks.

More from CISO

Everyone Wants to Build a Cyber Range: Should You?

In the last few years, IBM X-Force has seen an unprecedented increase in requests to build cyber ranges. By cyber ranges, we mean facilities or online spaces that enable team training and exercises of cyberattack responses. Companies understand the need to drill their plans based on real-world conditions and using real tools, attacks and procedures. What’s driving this increased demand? The increase in remote and hybrid work models emerging from the COVID-19 pandemic has elevated the priority to collaborate and…

Why Quantum Computing Capabilities Are Creating Security Vulnerabilities Today

Quantum computing capabilities are already impacting your organization. While data encryption and operational disruption have long troubled Chief Information Security Officers (CISOs), the threat posed by emerging quantum computing capabilities is far more profound and immediate. Indeed, quantum computing poses an existential risk to the classical encryption protocols that enable virtually all digital transactions. Over the next several years, widespread data encryption mechanisms, such as public-key cryptography (PKC), could become vulnerable. Any classically encrypted communication could be wiretapped and is…

6 Roles That Can Easily Transition to a Cybersecurity Team

With the shortage of qualified tech professionals in the cybersecurity industry and increasing demand for trained experts, it can take time to find the right candidate with the necessary skill set. However, while searching for specific technical skill sets, many professionals in other industries may be an excellent fit for transitioning into a cybersecurity team. In fact, considering their unique, specialized skill sets, some roles are a better match than what is traditionally expected of a cybersecurity professional. This article…

Laid Off by Big Tech? Cybersecurity is a Smart Career Move

Big technology companies are laying off staff as market conditions change. The move follows a hiring blitz initially triggered by the uptick in pandemic-powered remote work — according to Bloomberg, businesses are now cutting jobs at a rate approaching that of early 2020. For example, in November 2022 alone, companies laid off more than 52,000 workers. Companies like Amazon and Meta also plan to let more than 10,000 staff members go over the next few years. As noted by Stanford…