When it comes to third-party risk management (TPRM), many organizations are just beginning to figure out the core components of their program — and some are not implementing any measures to monitor their third parties at all.
According to Ponemon’s November 2018 report “Data Risk in the Third-Party Ecosystem”, 54% of organizations saying their companies do not monitor the security and privacy practices of vendors with whom they share sensitive or confidential information (or they are unsure), but only 29% trusting the vendor to tell them of a breach. That being said, where do these companies who are just starting out in their risk management journey actually start when putting a TPRM program into place?
It’s widely known that risk from the supply chain, or third parties, is one of the most pressing risks for businesses worldwide. However according to Ponemon’s report, most organizations, don’t have the confidence, resources, or inventory to be able to even start a TPRM program, and of those that do have a program only 35% rate it as highly effective. If they do have an existing program, it is oftentimes inefficient in terms of procedures and processes; sometimes it can take up to several weeks to complete risk assessments or vendor cyber risk assessment questionnaire with a small team (sometimes even just one person!) in place. Ultimately, this slows down the business in day-to-day operations.
While point-in-time cyber security risk assessments are not an accurate representation of the dynamic risk present across all functions of an organization, it’s important for companies to realize that implementing a mature TPRM program with continuous monitoring of vendors takes time. While this is the standard, not every organization is ready to implement it on day one. You need a plan to get there. The path that organizations take to get to those mature third-party risk management programs starts with launching their program. While it may seem reactive at first, eventually, it will expand to more continuous, automated processes that allow their organization to scale.
It’s more than acceptable for companies to start with more of an “ad-hoc” or reactionary TPRM program as they get things off the ground, while still conscious of the automation and resource allocation that is possible to achieve full confidence in their program. If they need to do security assessments, they complete assessments only on their "high-risk" or Tier 1 vendors, and re-assess when a security event happens or on an annual basis.
A great place to start is by assessing the vulnerabilities that exist across a company’s third-party supply chain. Vulnerabilities pose one of the largest threats to an organization when it comes to the risk of a data breach or cyber incident. They are also easily identified using outside-in solutions like security ratings. Incidents like the Ticketmaster breach from June 2018, in which their data was compromised by a third-party vendor, could have easily been avoided if they had visibility into the vulnerabilities present on that vendors’ network that would ultimately severely affect their own.
Ultimately, organizations need to start somewhere when implementing a third-party risk management program. If they can begin by identifying and addressing the biggest, riskiest vendors to their business (as well as identifying the vulnerabilities present on their networks), eventually they can lay the foundation for a more mature TPRM program in the future.
What’s the biggest struggle your vendor risk managers face when establishing cyber security monitoring processes? From sudden increases in the use of third-parties by your organization, to not knowing which vendors might be impacted by the...
If you’re using a “one-size fits all” approach to managing your vendor lifecycle, you are missing opportunities to save money and operate more efficiently. Vendor management efficiencies don’t end in the onboarding stage: using a...
If you’re experiencing frustrating delays and procedural roadblocks during your vendor management process, you’re not alone. Security managers are seeing an increase in the number of third-parties integrating with their business, and ...