Third Party Risk Management

What Does a Successful Third-Party Risk Management Program Look Like?

Brian Thomas | July 27, 2020

As digital transformation picks up pace, companies are working with more vendors than ever. According to Gartner, 60% of organizations now work with more than 1,000 third-party vendors — including partners, sub-contractors, and suppliers.

These third parties are essential to helping businesses grow and stay competitive, but third parties can also introduce unwanted cyber risk and overhead into the organization.

This presents a unique set of challenges for security professionals. Cybersecurity can’t be an obstacle to business growth, in fact it must be a facilitator. As such, security teams must keep up with the needs of the business and move faster to onboard vendors. They must also prioritize their limited resources to achieve the highest risk reduction in the most efficient way.

To achieve this, security managers must find ways to drive greater maturity across their third-party risk management (TPRM) program. Here are five areas where improved processes and technology can help.

1. Apply TPRM process, policy, and procedures consistently


Critical to any successful TPRM program is ensuring that all business functions – particularly marketing, finance, legal, and procurement – agree upon and consistently apply third-party risk management processes, policies, and procedures when onboarding new vendors.  

To establish these procedures, security managers should work with the business to determine acceptable risk threshold policies and pre-screen vendors accordingly. If a third-party doesn’t meet these security guidelines, they can then be eliminated from the procurement process – allowing security teams to focus already stretched resources on evaluating vendors that have more desirable security postures.

Another crucial consideration is whether to adapt security assessments based on the partnership the organization will have with the vendor in question. After all, no two vendors are the same. Each third-party presents different risk levels, and therefore merits different treatment. 

Security leaders should also consult with legal and finance teams to devise contractual controls and enforceable language to ensure compliance with those thresholds throughout the life of contracts.

2. Align cross-functional teams around risk reduction


A key characteristic of organizations with immature TPRM programs is that various business disciplines often tackle third-party cyber risk reduction in siloes. Legal or procurement teams may have their own vendor screening criteria that are at odds with policy and procedures adopted by security professionals.

By contrast, in successful and mature TPRM programs, these cross-functional teams are aligned around cyber risk reduction. They understand why it’s important, and they have adopted a collaborative vendor onboarding and risk management process that doesn’t roadblock them but keeps up with the speed of the business and what it’s trying to accomplish.

3. Champion TPRM outcomes in the boardroom


Cyber risk is a huge priority for the board, including the risk posed by third-party vendors and suppliers. They want greater oversight of these parties’ security risk profile through metrics and KPIs, but they also want security managers to link cybersecurity to business outcomes.

In a successful TPRM program, security leaders champion their achievements in the boardroom and communicate the impact of their TPRM initiatives through the lens of business value whether it’s reducing the time and costs involved in onboarding new vendors, driving cross-team collaboration around risk reduction, or enabling the business to move with confidence into new areas of growth.

Armed with this information, the board can focus on getting further behind security initiatives or adding additional resources.

4. Adopt TPRM technology and automation

Immature programs have traditionally relied on questionnaires and spreadsheets to assess and track third-party risk. These manual tools are sufficient if the organization is starting out. However, as it expands and adds more suppliers, security leaders should consider adding purpose-built TPRM technology and automation tools to manage a successful program at scale.

For instance, using BitSight Security Ratings as part of a comprehensive third-party cyber risk management program, security professionals can immediately and automatically expose third-party cyber risk during the onboarding process. Then, instead of wasting time doing long, full-blown assessments on every vendor, they can allocate resources to vendors that require greater due diligence.

5. Continuously monitor vendors

Cyberspace is constantly evolving, as is third-party risk. It’s important, therefore, that an organization’s security assessments go beyond point-in-time snapshots.

Once the onboarding stage is complete, companies can use BitSight Security Ratings to continuously monitor for any shifts or changes in their vendors’ security posture and receive alerts when these ratings drop below previously agreed-upon risk thresholds. Using BitSight, they can also gain a strategic view of risk across their vendor portfolio to prioritize urgent third-party risk issues from non-urgent ones easily. 

Based on these insights, organizations can then have honest, data-driven conversations with their vendors about their security postures, communicate exactly where risk may be present, and work collaboratively towards remediation.

Move beyond a checkbox approach to TPRM

A successful and mature TPRM program transforms the way organizations manage third-party cyber risk helping them overcome one of the largest obstacles to digital transformation and business growth. Importantly, organizations at the top of the maturity ladder view third-party risk management through an operational efficiency lens – finding ways to reduce vendor onboarding time and costs – rather than solely as a check in the box or compliance necessity.

Learn more about how you can take a confident approach to running your TPRM program by reading our white paper.

Third Party Risk Management

Suggested Posts

Do You Have The Right Vendor Management Policies?

If you’re experiencing frustrating delays and procedural roadblocks during your vendor management process, you’re not alone. Security managers are seeing an increase in the number of third-parties integrating with their business, and ...

READ MORE »

3 Ways To Make Your Vendor Lifecycle More Efficient

During this dynamic and stressful workplace environment 2020 has brought us, finding the most efficient ways to perform in your job has never been more important. When it comes to managing your vendor lifecycle, there are three ways you...

READ MORE »

What Does a Successful Third-Party Risk Management Program Look Like?

As digital transformation picks up pace, companies are working with more vendors than ever. According to Gartner, 60% of organizations now work with more than 1,000 third-party vendors — including partners, sub-contractors, and suppliers.

READ MORE »

Subscribe to get security news and updates in your inbox.