Increasing Exposure to Cyber Risk in Third-Party Relationships
Brick and mortar business is a thing of the past: physical buildings and conventional employees no longer define an organization. The modern organization is an interconnected mesh of relationships, interactions, and transactions that span traditional business boundaries. Over half of an organization’s ‘insiders’ are no longer traditional employees. Insiders now include suppliers, vendors, outsourcers, service providers, contractors, subcontractors, consultants, temporary workers, agents, brokers, dealers, intermediaries, and more.
Over sixty-percent of data breaches are linked to a third party and not from inside the traditional organization. The people not on the company’s payroll and the infrastructure that the company doesn’t control may pose the biggest risk. Complexity grows as these interconnected relationships, processes, and systems nest themselves in layers of subcontracting and supplier relationships.
In this context, organizations struggle to adequately govern information security risk in third-party business relationships. Risk and compliance challenges do not stop at traditional organizational boundaries as organizations bear the responsibility of the actions or inactions of their extended third party relationships. An organization can face reputational and economic disaster by establishing or maintaining the wrong business relationships, or by allowing good business relationships to sour because of poor information security governance and risk management. When questions of security arise, the organization is held accountable, and it must ensure that third parties behave appropriately.
The challenge: Can you attest to the information security governance, risk management, and compliance for third parties across your organization’s business relationships?
Governing third party relationships, particularly in the context of information security risk and compliance, is like the hydra in mythology: organizations combat each head, only to find more heads springing up to threaten them. Departments are reacting to third party management in silos and the organization fails to actively implement a coordinated strategy for third party management across the enterprise. Organizations manage third parties differently across different departments and functions with manual approaches involving thousands of documents, spreadsheets, and emails.
Worse, they focus their efforts on the formation of a third party relationship during the on-boarding process and fail to govern risk and compliance throughout the lifecycle of the relationship. This fragmented approach to third party governance brings the organization to inevitable failure. Reactive, document-centric, and manual processes cost too much and fail to actively govern, manage risk, and assure compliance throughout the lifecycle of a third-party relationship. Silos leave the organization blind to the intricate exposure of risk and compliance that do not get aggregated and evaluated in the context of the organization’s goals, objectives, and performance expectations in the relationship.