Building new digital relationships with third parties increases risk exposure. But IT teams can reduce that risk through all stages of the vendor onboarding, monitoring, and reassessment lifecycle.
With high-profile breaches being traced back to supply chain vulnerabilities and a regulatory environment that’s waking up to the realities of vendor risk, many organizations are investing heavily in third-party risk management (TPRM) programs.
Effective third-party risk management, however, can be extremely challenging for even the most mature organizations. Many providers offer tools that claim to make TPRM easier and more comprehensive — but which of these solutions and tools do you really need?
There’s no one-size-fits-all approach; a number of variables will determine the best course of action for your business. However, whether you’re launching, growing, or optimizing your TPRM program, there are certain tools that any organization should have.
Integrated Risk Management Software
Even if your organization only has a handful of third-party vendors, it’s still important to use a management system to keep track of objectives and progress. This system can be as complex as integrated risk management (IRM) software, or as simple as a well-organized spreadsheet.
If your organization only has five vendors, for example, a spreadsheet would likely suit your needs and be easy enough to manage. However, if your organization has 500 or 5000 vendors, investing in a dedicated TPRM software platform is probably a better solution — in the long run, it will make the process of scaling your TPRM program much simpler.
Regulations are another factor. Companies in heavily regulated industries like healthcare, finance, and utilities — even if they don’t have a huge vendor roster — might need full-featured TPRM software, which can be used to track the delivery and receipt of security risk assessment questionnaires, schedule penetration tests and on-site visits, manage review and assessment tasks, and generate reports for compliance purposes. Wide-reaching regulations like GDPR are also making TPRM-specific software more essential.
Without a solid cyber security risk assessment tool, it’s easy for things to fall through the cracks, especially as a third-party vendor roster grows. In an area as high-stakes as cybersecurity, organizations can’t afford to let even the little things slip.
Though they’re not necessarily a “tool,” vendor risk questionnaires are the backbone of most comprehensive TPRM programs. Thorough, consistent, and well-designed questionnaires for your vendors to complete and return are critical to reducing third-party risk.
While questionnaire templates are a good place to start, the questions should always be tailored to your particular industry and concerns. As your TPRM program matures, you’ll want to start adapting questionnaires for each vendor or partner, taking into consideration their past performance and the systems and data to which they have access.
Traditionally, administering a questionnaire during the onboarding process and following up at regular intervals to ensure that security is being maintained (or better yet, improved) has been best practice. While this may change in the future thanks to third party monitoring technologies, it’s still an important part of TPRM for many companies.
However, questionnaires should not be the only component of a TPRM program — they can become inaccurate fast as new threats emerge and third-party security performance changes. Relying solely on questionnaires to assess cybersecurity gives you an incomplete picture of a third party’s security posture, so questionnaires are best utilized in addition to other TPRM tools.
A 2018 study found that for 88% of organizations, it took over two weeks to assess vendors’ cybersecurity using manual methods such as a cyber security risk assessment questionnaire. When each assessment requires this much effort, it’s not possible to maintain a continuous picture of third-party risk.
Continuous monitoring solutions like security ratings help cover the gaps between questionnaires by allowing companies to track third parties’ cybersecurity performance in near real time.
Security ratings are a data-driven, dynamic measurement of an organization’s cybersecurity performance. Ratings are derived from objective, verifiable information and created by independent organizations. Security ratings enable you to quickly ascertain a vendor’s cybersecurity posture, track changes to their performance over time, and identify their biggest vulnerabilities.
In addition, because security ratings are easy-to-understand numbers that reflect actual cyber risk, they provide a clear frame of reference and makes it easier to communicate with stakeholders about cybersecurity.
Which third-party risk management tools do you really need? It depends on your industry, level of TPRM program maturity, and the size of your vendor roster. However, starting from a foundation of robust management software and continuous monitoring will set you going in the right direction.