Fact or Fiction (Part 1): Things You Should Know About Third-Party Risk Management

Alex Campanelli | August 21, 2018 | tag: Vendor Risk Management

It’s no secret that while it is critical for an organization to have a strong cybersecurity posture, it’s just as important for their third parties to have a strong security posture as well. While this fact is becoming increasingly more acknowledged in the business world (as many companies suffer data breaches at the hands of their suppliers), there are still several misconceptions about third-party risk management (TPRM) programs and what they entail. Among the many initiatives that make up a modern enterprise cybersecurity program, TPRM might be the most misunderstood.

In this three-part blog series, we’ll take a look at some of the notions surrounding third-party risk management and separate fact from fiction. 

1) Third-party risk management is only necessary for companies with hundreds or thousands of third party relationships.

Fiction.

It just takes one of your third parties to cause a breach. Nearly every organization is reliant on a third-party for some type of service. If immediate third parties do not pose cyber risk directly, their third parties (your fourth parties) may. Organizations need to ensure they are tracking the entire flow of their data and monitoring organizations across these flows. Security ratings allow you to deliver timely, data-driven insights into any vendor’s security performance by continuously analyzing, and monitoring companies’ cybersecurity, all from the outside. Security ratings are generated on a daily basis, giving organizations continuous visibility into the security posture of key business partners.

2) Compliance should be the primary goal of any third-party risk management program.

Fiction.

Compliance should be one goal of your third-party risk management program, but not necessarily the primary goal. Many industries and governments regulate third-party risk management, but maintaining compliance doesn’t ensure the safety of your company’s data. It's critical to align third-party risk management strategy or programs with increasing global and regional cybersecurity regulations (i.e. GDPR, NYDFS) and business initiatives. Ongoing and continuous monitoring is a key step towards aligning third-party risk management strategy to cybersecurity regulations.

Security ratings can serve as a critical piece of your TPRM program by helping security and risk teams go above and beyond to quickly identify critical third parties, efficiently scale their TPRM programs, and provide a means to collaborate with those third parties and remediate security issues efficiently.  

3) Third-party risk management should be a Board-level initiative.

Fact.

TPRM is no longer just a responsibility for IT departments. A successful third-party risk management program has sponsorship from multiple departments, as well as support and involvement from the Board. In fact, Gartner estimates that by 2020, 75% of Fortune Global 500 companies will treat vendor risk management as a Board-level initiative.

Read this ebook to learn more about common misconceptions surrounding third-party risk management.

third-party risk management misconceptions


Read part 2 of the Fact or Fiction series: More Misconceptions About Third-Party Risk Management

Read part 3 of the Fact or Fiction series: How Security Ratings Play a Role in Third-Party Risk Management

Suggested Posts

BitSight Integrates With ServiceNow to Reduce Risk Throughout Vendor Management Programs

Organizations rely on third-parties to keep competitive in the marketplace. The EY global third-party risk management survey highlights that in 2019–20, over 33% of the 246 global companies surveyed were managing and monitoring...

READ MORE »

5 Best Practices for Conducting Cyber Security Assessments

Third parties are essential to helping your business grow and stay competitive. But if you’re not careful, your trusted partnerships can introduce unwanted cyber risk and overhead into your organization.

READ MORE »

5 Tips to Improve Cyber Security Monitoring of Your Vendors

What’s the biggest struggle your vendor risk managers face when establishing cyber security monitoring processes? From sudden increases in the use of third-parties by your organization, to not knowing which vendors might be impacted by...

READ MORE »

Get the Weekly Cybersecurity Newsletter.