Security Experts:

Connect with us

Hi, what are you looking for?


Risk Management

Most Companies Don’t Properly Manage Third-Party Cyber Risk

It’s been established that good cybersecurity requires not just an internal assessment of an organization’s own security practices, but also a close look at the security of the partners that businesses rely upon in today’s modern, interconnected world.

It’s been established that good cybersecurity requires not just an internal assessment of an organization’s own security practices, but also a close look at the security of the partners that businesses rely upon in today’s modern, interconnected world. As such, developing a Third-Party Cyber Risk Management (TPCRM) strategy is becoming more common with every news headline regarding a major breach that stemmed from a company’s relationship with a third-party.

There are several different approaches to TPCRM strategies on the market today. While the goals are the same, it is important for organizations to create a program that allows them to execute on actionable insight, meaning the insights and value provided should result in informed decision making that reduces risk for the lead organization and for the third party that posed it. 

Two common approaches used today are security rating tools and spreadsheet assessments. The problem is, you can’t make an informed decision about the risk a vendor brings to your organization based on a surface scan that looks solely at public domain data or an annual spreadsheet-based questionnaire that was conducted months ago. To be truly effective, third party cyber risk management programs need to go beyond an initial scan and evaluate your third party’s security from the inside out, with validated and dynamic data, so you can identify with confidence, what security gaps exist. 

And your program should help you identify what those risks are at both the individual and portfolio level, so you can make informed decisions about what to prioritize and mitigate throughout your ecosystem. Spreadsheet assessments present their own issues, ranging from a static point in time view that can’t keep up with the evolving threat landscape, or a legacy customized bespoke assessment that acts more as a security blanket than a source of information and action.  A recent study by Ponemon found that 54% of organizations feel their assessments ultimately provide little value, and worse yet, only 8% of those assessments results in action. If you aren’t able to identify control gaps in your third party’s security or even the third parties you should not be partnering with, then what is the point of assessing them? Third-party cyber risk management should enable you to do just that, manage risk.

Getting to the root of most third-party cybersecurity problems requires the ability to identify which third parties pose you the most risk, prioritize them accordingly and then apply the right level of due diligence in an ongoing manner to monitor them. This requires identifying your third parties, scoping out how you work with them to uncover your inherent risk, and then assessing them via dynamic and validated assessments to determine if there are any critical security control gaps. Analytics should be able to guide you on how to prioritize those controls gaps so you and your third parties can focus your mitigation efforts on the gaps with the most yield. The assessment process itself can be greatly streamlined by employing delivery models like an Exchange. An exchange not only serves as a central hub where the assessment data lives dynamically, but it enables a one-to-many relationship so multiple users can leverage the same data set, providing cost efficiencies for the customers and time efficiencies for third parties. These efficiencies only work, however, if organizations are willing to let go of their customized assessment and employ a comprehensive assessment.

Knowing the difference between the various types of assessment techniques used to evaluate third-parties is critical in making the right investments of time and money. Outside-in scans give a quick indicator of potential risk that can be used to help prioritize a program but should not be used alone for critical TPCRM decisions. Bespoke and static assessments can provide a deep review, but are often hard to glean insights from and therefore don’t result in action. A dynamic, validated approach that provides you actionable insights will provide a deep and continuous understanding of third-parties’ control gaps that can easily inform your security program. 

Given today’s cost of a data breach, which can climb well into the millions, an investment in a TPCRM program will more than make up for itself in a very short period of time.

RelatedThird-Party Cyber Risks a Rising Threat, Research Shows

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem

Risk Management

In this virtual summit, SecurityWeek brings together expert defenders to share best practices around reducing attack surfaces in modern computing.

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...