Connect with us

Hi, what are you looking for?


Risk Management

It’s Time for the C Suite and Boards to Truly Engage in Third-Party Cyber Risk Management

Board Room

Board Room

Given how much businesses rely on data, cloud providers and other aspects of the digital world, cybersecurity should be a topic on every boardroom agenda today. The reality is; however, most boards of directors and c-suites are comprised of individuals who have risen up through the ranks from financial, sales or business disciplines. As such, they almost always have a lot of expertise when it comes to things like finances, metrics and policy, but often very little when it comes to cybersecurity. 

While some forward-thinking companies have created c-suite positions for IT and security personnel such as chief technology officers (CTO) and chief information security officers (CISO), these are, overall, still relatively rare. When they do exist, the CTOs, CISOs and similar IT executives don’t always get an actual seat on the board, and unfortunately their voices sometimes carry less weight. Their lack of voice is then compounded by the fact that most boards and C suites assume their IT and security teams have their cybersecurity covered. But with the increasing incidence of cyber breaches (most notably, third-party cyber breaches) and cyber regulations, this assumption is going to put the board and c suite in hot water.

In a recent BDO Governance survey, only 32 percent of the board respondents said they were briefed on cybersecurity quarterly, while 54 percent of board respondents said they were briefed at least annually, and 9 percent said not at all. Surprisingly, 73 percent say their organizations require third parties to meet some level cyber risk requirements. Our recent study of security and IT professionals found that only 36 percent of them felt their organizations effectively assessed third-party cyber risk. This disparity illustrates the need for boards and c-suites to be more engaged with their security teams, and particularly with third-party cyber risk management. 

In fact, global consulting firm Protiviti recently found a high correlation between board involvement and highly mature vendor risk management (VRM) systems. In the Protiviti study, 57 percent of companies that reported having engaged boards also enjoyed the benefits of a mature VRM framework. Couple that with the fact that it’s frequently reported that the average cost of a breach is around $4 million and third party breaches tend to be the most expensive, at $7.5 million. And once you’ve factored in the impact on brand reputation, lost business and other incidental costs, that number gets even higher. The impact of a breach is a perfect example of how an organization’s financial and technological risks blend together, and why the board should be involved in creating a Third-Party Cyber Risk Management (TPCRM) strategy. 

So, how can the board get involved? The first step is having a board that understands what a TPCRM strategy is, and the benefits of such a program. A good strategy is one that includes a comprehensive program for identifying the vendor landscape, prioritizing it, assessing risk, and of course mediating any risk that is deemed unacceptable. Data should be collected through a dynamic and validated assessment that continuously monitors the internal security controls or gaps of vendors, and not just using a surface scanning tool with publicly-available data or once a year static assessment. The continuous and validated approach will make the data provided by the TPCRM more valuable to the board’s decision-making process.

The board should also ask the right questions of the IT teams. For example, ask about the entire vendor ecosystem. Do they know who the riskiest vendors are, or which vendors handle, or have access to, your company’s most sensitive or classified information? And once these factors are known, what specific steps are being taken, or are planned, to mitigate the problem? The board should also know that the most valuable TPCRM programs don’t just look at vendors that their company spends most of its money on. It looks at the entire vendor pool and takes all levels of risk into consideration – so the organization can manage cyber risk across their portfolio. 

Finally, the best TPCRM strategies are a joint effort. It’s in everyone’s best interest, the board’s, the IT teams and their third party, to assess and evaluate cybersecurity. Working together makes it much easier to present a united front against any potential attackers.

Advertisement. Scroll to continue reading.

At the end of the day, your organization’s finances, metrics and value are all intrinsically linked to your cybersecurity, so it’s time to start paying attention. 

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem

Endpoint Security

Today, on January 10, 2023, Windows 7 Extended Security Updates (ESU) and Windows 8.1 have reached their end of support dates.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Artificial Intelligence

Two of humanity’s greatest drivers, greed and curiosity, will push AI development forward. Our only hope is that we can control it.

Email Security

Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing...