How Does Third Party Risk Management Relate to IT?

Bryana Dacri | May 1, 2018 | tag: Vendor Risk Management

As advances in cloud computing and managed services have made IT operations more streamlined, the focus of IT leaders has shifted to improving efficiency, agility, and risk management. Managing risk, in particular, has become an even more central concern.

Every few months, another company discloses that their confidential data has been breached. These security lapses have major consequences, ranging from regulatory scrutiny to fines, lawsuits, and consumer dissatisfaction.

This comes into play when dealing with your own organization’s vendors. Who wants to work with a partner that’s been careless with data? Their reputation can ultimately affect that of your own organization’s. However, outside vendors are an essential part of the IT ecosystem for many large companies; it’s simply impossible to perform key functions without them. How do you determine whether they will handle your data with the utmost care? This is the essence of third party risk management in the IT space: Have your vendors taken the appropriate measures to ensure your data is not at risk?

Third Parties are Often the Weakest Link

When protecting your organization’s data, you’re only as good as your third party risk management program. While vendor risk management is important for all areas of a business, it’s perhaps the most crucial for IT. Failing to properly manage this risk can lead to loss of confidential information, trade secrets, and customer data — all leading to serious business repercussions. Additionally, the lag time between a breach and when a business is notified of it by their vendor can be significant, making it more difficult to react effectively.

In order to protect against this, businesses should map out their data flow and determine how this intersects with their vendors, while also assessing the security risk that each may present. Even the best internal data protection policies can be undermined by vendors who have lower security standards.

Security Should be a Factor in Choosing a Vendor

While vendor management has become an important component of IT, other concerns have often outweighed a focus on security. In the past, service quality, cost, and other more fundamental business concerns have been key areas of evaluation.

Increasingly, however, large organizations have learned that security risk management is an important area to consider. In fact, it can underpin the business calculus of using a certain vendor. For example, if one vendor has a much stronger security posture but is more expensive, they may ultimately be preferable to a lower cost vendor with a less robust security infrastructure. Such factors must be a part of the vendor contracting and management process.

Risk management should be a priority for IT leaders, from the CISO and CIO on down. It’s also important for these IT officials to make the case to the whole leadership team that vendor risk management is an important business consideration. It’s easy for cost-based decision to crowd out all other factors. IT leadership must build a business case that shows the importance of vendor security standards.

Putting a Policy In Place

Most large businesses have robust internal risk management plans. These can be applied to vendors as well. Key components include understanding current data vulnerabilities and screening any new vendors you contract with using the highest standards possible. Of course, the largest enterprises use thousands of vendors. The process of risk management, therefore, hinges on prioritization. You have to determine where your most critical data is going. These vendors should be evaluated in terms of their business relationship with your company, integrity, technology, and overall track record.

Prioritizing third party risk management is the first step toward getting results and shoring up the overall security of your company’s data.  From there, organizations must develop an effective strategy for carrying out this objective. This includes revising or supplementing any existing cybersecurity policies to fully reflect the risk posed by vendors.

Additionally, a plan should be put into place to actively manage and monitor vendor relationships. This typically involves the completion of vendor security risk assessments and mapping to identify where the most sensitive information flows. If your business handles sensitive personal information, for example, you should track every vendor that may have access to this information on their systems at a given point in time.  

After identifying this data, look to the vendors and review their security and risk controls they have in place. For instance, if your payment processor has weaknesses or gaps in their security infrastructure , that relationship may warrant investigation or reassessment.

Overall, third party vendor risk management is about knowing the vulnerabilities of your outside vendors and finding ways to mitigate these data security concerns.

To learn more about how third party risk management impacts IT teams, download our ebook.

third-party vendor risk management program

Suggested Posts

BitSight Integrates With ServiceNow to Reduce Risk Throughout Vendor Management Programs

Organizations rely on third-parties to keep competitive in the marketplace. The EY global third-party risk management survey highlights that in 2019–20, over 33% of the 246 global companies surveyed were managing and monitoring...


5 Best Practices for Conducting Cyber Security Assessments

Third parties are essential to helping your business grow and stay competitive. But if you’re not careful, your trusted partnerships can introduce unwanted cyber risk and overhead into your organization.


5 Tips to Improve Cyber Security Monitoring of Your Vendors

What’s the biggest struggle your vendor risk managers face when establishing cyber security monitoring processes? From sudden increases in the use of third-parties by your organization, to not knowing which vendors might be impacted by...


Get the Weekly Cybersecurity Newsletter.