Third-party programs are in the spotlight right now, and with good reason. Changes in global regulations, ongoing third-party related breaches and increasing board involvement are forcing organizations to bring their murky third-party ecosystems into sharp focus. Outsourcing of non-core business activities is the new normal and every new vendor you share your data with expands your ecosystem, and attack surface. The security of your ecosystem and data is now dependent on the security of your third parties.
With these trends, one would expect a greater level of scrutiny around third party and vendor risk management, however, industry surveys indicate there is still a gap. Bomgar reported that 35% of organizations surveyed said they experienced a third-party related breach. Additionally, the Bomgar survey found: “While many security professionals admit that they afford external groups too much trust, action has not followed this recognition. Processes to control and manage privileged access for vendors remain lax, as evidenced by only 34 percent of respondents expressing total confidence that they can track vendor log-ins. A slightly higher percentage (37 percent) believe they can track the number of vendors accessing their internal systems.”
The only way to fully understand the vulnerabilities that your relationships with your third parties may be creating is by taking matters into your own hands and actively identifying and mitigating risk. So how do you do this with limited time and resources?
Organizations are tackling this challenge in a variety of different ways, but for most, the burden falls upon CISOs and other risk managers to close the external gaps. This burden can appear insurmountable when that team is already juggling a variety of tasks with limited resources. If this sounds familiar, here are some tips to ensure you’re running your third-party program like a well-oiled machine—and on budget.
Incorporate tools that enable you to work as a community
Information sharing and collaboration tools can not only reduce costs, but they facilitate true risk management by standardizing data and making it easily accessible. Deloitte’s 2017 Extended Enterprise Risk Management survey highlighted a budding trend in third-party programs towards utility models that enable information sharing and collaboration. However, that same report showed that more than 50% of respondents were unaware that such tools exists. While this new delivery model approach is still relatively new, solutions do exist and they provide a variety of benefits. From reduced cost to a structured and consistent process, utility solutions like risk information exchanges will arm all participants with collective bargaining rights around mitigation and remediation efforts, as well as access to structured data.
Use standardized & structured risk assessment data
Payment Card Industry Data Security Standard best practices recommend frequent audits and third-party risk assessments to evaluate your partners’ policies, operations and history—and gain holistic visibility throughout your entire third-party ecosystem. Many enterprises, however, rely on shared spreadsheets or bespoke assessments in their third-party programs to help them understand and mitigate risk. These approaches may collect some information on a vendors policies and practices, but they do so on an individual level and the insights are buried in unstructured data. Each third-party risk assessment still must be conducted (and analyzed) separately, with no way to holistically interpret the results across multiple third-party vendors and systems. So how do you make the third-party risk assessment process work for you, instead of bogging you down in digital “paperwork” and meaningless data?
A standardized and structured risk assessment approach may remove some custom questions, but it collects data in a format that enables analysis and holistic insights about your entire ecosystem.
Leverage managed services so you can take a risk based approach
In an increasingly complex digital landscape, organizations need more than ad hoc risk analysis—they need quick, actionable insights. By employing a managed service third-party risk management model you can streamline the third-party risk assessment process and efficiently manage complex third-party portfolios while empowering your risk management team to quickly prioritize and mitigate threats.
Instead of struggling to manage multiple relationships, a managed service approach will enable companies and vendors to consolidate and hand off manual and time consuming efforts so they can focus on strategic risk initiatives. The result? Conserving valuable human and technology resources and applying them to a truly risk based approach.
In short, new delivery models and managed service offerings will help you create a well-oiled third-party program that doesn’t break the bank.