Conversations in Risk-Based Security

Third Party Risk Management: Just the Right Thing to Do

Posted by Angela Dogan on Jul 16, 2019, 2:19:18 PM
Social-Media-Ad-Template (1)

With scrutiny on companies intensifying as data breaches become a matter of when, not if, the subject of Third Party Risk Management (TPRM) enters the cybersecurity spotlight more and more. A November 2018 Opus and Ponemon Institute study noted “59 percent of companies said they have experienced a data breach caused by one of their vendors or third parties. In the U.S., that percentage is even higher at 61 percent – up 5 percent over last year’s study and a 12 percent increase since 2016.” Yet, despite this reality, a July 2018 CrowdStrike report notes “fewer than a third (32 percent) of respondents’ organizations have vetted all of their suppliers, new or existing, over the past 12 months.”

What’s going on here? If a data breach is a third party’s fault, companies still receive the blame. Yet, companies fail to create TPRM programs—or implement them properly—even as data breaches increase in quantity and severity. Especially in less regulated industries, many organizations do not have mature TPRM programs. Even larger companies struggle with the volume and complexity of thousands of third-party vendors.

The absence of mature TPRM programs does not result from a lack of available best practices. Plenty of resources exist that cover:

  • Assessing risk (inventorying and evaluating vendors).
  • Managing risk (creating processes, procedures, policies, contracts, and SLAs).
  • Working with third-party vendors (due diligence, continuous assessments, communication, collaboration).
  • Independently assessing risk with external frameworks (NIST 800-53, ISO 27001/2, Shared Assessments Program, Cloud Security Alliance Cloud Controls Matrix).
  • Planning for worst-case scenarios (incident response, data breach notification, alternate options in case something bad happens to a vendor).

But reiterating the same best practices will not address the obstacles preventing organizations from maturing their TPRM programs. Kevin Howarth of the National Technology Security Coalition (NTSC) and myself examine this phenomenon in a new white paper entitle, Third Party Risk Management: Just the Right Thing to Do.  In this whitepaper, we explore the obstacles to TPRM maturity, offer recommendations that will help organizations get past those obstacles, and explore how legislation, regulations, and standards are helping organizations adopt stronger TPRM programs.

Specifically, this whitepaper will examine.

  1. Why more TPRM programs are not mature and what unique obstacles make risk management programs challenging for even large companies.
  2. What a mature program looks like, who owns risk management, and how different departments need to work together.
  3. How legislation, regulations, and standards help promote the adoption of mature TPRM programs across all organizations.

Click Here to download your FREE White Paper today!

Topics: Third Party Risk Management