<img height="1" width="1" style="display:none;" alt="" src="https://dc.ads.linkedin.com/collect/?pid=26304&amp;fmt=gif">
Vendor Risk Management

Fact or Fiction (Part 1): Things You Should Know About Third-Party Risk Management

Alex Campanelli | August 21, 2018

It’s no secret that while it is critical for an organization to have a strong cybersecurity posture, it’s just as important for their third parties to have a strong security posture as well. While this fact is becoming increasingly more acknowledged in the business world (as many companies suffer data breaches at the hands of their suppliers), there are still several misconceptions about third-party risk management (TPRM) programs and what they entail. Among the many initiatives that make up a modern enterprise cybersecurity program, TPRM might be the most misunderstood.

In this three-part blog series, we’ll take a look at some of the notions surrounding third-party risk management and separate fact from fiction. 

1) Third-party risk management is only necessary for companies with hundreds or thousands of third party relationships.


third party risk management

It just takes one of your third parties to cause a breach. Nearly every organization is reliant on a third-party for some type of service. If immediate third parties do not pose cyber risk directly, their third parties (your fourth parties) may. Organizations need to ensure they are tracking the entire flow of their data and monitoring organizations across these flows. Security ratings allow you to deliver timely, data-driven insights into any vendor’s security performance by continuously analyzing, and monitoring companies’ cybersecurity, all from the outside. Security ratings are generated on a daily basis, giving organizations continuous visibility into the security posture of key business partners.


2) Compliance should be the primary goal of any third-party risk management program.


Compliance should be one goal of your third-party risk management program, but not necessarily the primary goal. Many industries and governments regulate third-party risk management, but maintaining compliance doesn’t ensure the safety of your company’s data. It's critical to align third-party risk management strategy or programs with increasing global and regional cybersecurity regulations (i.e. GDPR, NYDFS) and business initiatives. Ongoing and continuous monitoring is a key step towards aligning third-party risk management strategy to cybersecurity regulations.

Security ratings can serve as a critical piece of your TPRM program by helping security and risk teams go above and beyond to quickly identify critical third parties, efficiently scale their TPRM programs, and provide a means to collaborate with those third parties and remediate security issues efficiently.  


3) Third-party risk management should be a Board-level initiative.


TPRM is no longer just a responsibility for IT departments. A successful third-party risk management program has sponsorship from multiple departments, as well as support and involvement from the Board. In fact, Gartner estimates that by 2020, 75% of Fortune Global 500 companies will treat vendor risk management as a Board-level initiative.

Read our new ebook to learn more about common misconceptions surrounding third-party risk management.

third-party risk management misconceptions

Read part 2 of the Fact or Fiction series: More Misconceptions About Third-Party Risk Management

Read part 3 of the Fact or Fiction series: How Security Ratings Play a Role in Third-Party Risk Management

Suggested Posts

What Is Digital Supply Chain Management?

You may have heard the term “digital supply chain management” being used to describe an emerging business function. But what exactly is a digital supply chain, and how is one supposed to manage it?


Getting Started with Enterprise Risk Management Software

Enterprise risk management software helps businesses monitor, manage, and mitigate many types of risk. However, procuring and implementing ERM software requires a significant investment, and choosing the solutions that are right for your...


BitSight EXCHANGE Sound Bites: Risk Management in Financial Services

In the months since BitSight’s inaugural EXCHANGE forum, we have been digesting and processing the incredible sessions and discussions that came about from this forum. It was a great event that brought together security executives from all...


Subscribe to get security news and updates in your inbox.