Security Experts:

Most Companies Don't Properly Manage Third-Party Cyber Risk

It’s been established that good cybersecurity requires not just an internal assessment of an organization’s own security practices, but also a close look at the security of the partners that businesses rely upon in today’s modern, interconnected world. As such, developing a Third-Party Cyber Risk Management (TPCRM) strategy is becoming more common with every news headline regarding a major breach that stemmed from a company’s relationship with a third-party.

There are several different approaches to TPCRM strategies on the market today. While the goals are the same, it is important for organizations to create a program that allows them to execute on actionable insight, meaning the insights and value provided should result in informed decision making that reduces risk for the lead organization and for the third party that posed it. 

Two common approaches used today are security rating tools and spreadsheet assessments. The problem is, you can’t make an informed decision about the risk a vendor brings to your organization based on a surface scan that looks solely at public domain data or an annual spreadsheet-based questionnaire that was conducted months ago. To be truly effective, third party cyber risk management programs need to go beyond an initial scan and evaluate your third party’s security from the inside out, with validated and dynamic data, so you can identify with confidence, what security gaps exist. 

And your program should help you identify what those risks are at both the individual and portfolio level, so you can make informed decisions about what to prioritize and mitigate throughout your ecosystem. Spreadsheet assessments present their own issues, ranging from a static point in time view that can’t keep up with the evolving threat landscape, or a legacy customized bespoke assessment that acts more as a security blanket than a source of information and action.  A recent study by Ponemon found that 54% of organizations feel their assessments ultimately provide little value, and worse yet, only 8% of those assessments results in action. If you aren’t able to identify control gaps in your third party’s security or even the third parties you should not be partnering with, then what is the point of assessing them? Third-party cyber risk management should enable you to do just that, manage risk.

Getting to the root of most third-party cybersecurity problems requires the ability to identify which third parties pose you the most risk, prioritize them accordingly and then apply the right level of due diligence in an ongoing manner to monitor them. This requires identifying your third parties, scoping out how you work with them to uncover your inherent risk, and then assessing them via dynamic and validated assessments to determine if there are any critical security control gaps. Analytics should be able to guide you on how to prioritize those controls gaps so you and your third parties can focus your mitigation efforts on the gaps with the most yield. The assessment process itself can be greatly streamlined by employing delivery models like an Exchange. An exchange not only serves as a central hub where the assessment data lives dynamically, but it enables a one-to-many relationship so multiple users can leverage the same data set, providing cost efficiencies for the customers and time efficiencies for third parties. These efficiencies only work, however, if organizations are willing to let go of their customized assessment and employ a comprehensive assessment.

Knowing the difference between the various types of assessment techniques used to evaluate third-parties is critical in making the right investments of time and money. Outside-in scans give a quick indicator of potential risk that can be used to help prioritize a program but should not be used alone for critical TPCRM decisions. Bespoke and static assessments can provide a deep review, but are often hard to glean insights from and therefore don’t result in action. A dynamic, validated approach that provides you actionable insights will provide a deep and continuous understanding of third-parties’ control gaps that can easily inform your security program. 

Given today’s cost of a data breach, which can climb well into the millions, an investment in a TPCRM program will more than make up for itself in a very short period of time.

RelatedThird-Party Cyber Risks a Rising Threat, Research Shows

view counter
As Chief Executive Officer, Fred Kneip is responsible for the overall company direction of CyberGRX. Prior to joining the company, Fred served in several senior management roles at Bridgewater Associates, including Head of Compliance and Head of Security. Before that, Fred was an Associate Principal at McKinsey & Co., where he led the company’s Corporate Finance practice. Fred has also worked as an investor with two later-stage private equity investment firms. Fred holds a B.S.E from Princeton University and an M.B.A. from Columbia Business School.