Companies increasingly rely on third parties to do business. With this, comes an increased vulnerability to cyber threats, specifically ransomware and supply chain-focused attacks. As we’ve experienced over the past year with large, third-party and supply chain attacks affecting many industries and countries, these types of cyber attacks not only affect primary targets, but also the third parties that a business may be working with.
Because of these increased attacks, it’s clear that priorities are changing. Third-party risk management is beginning to rise to the top of the concern pile, with organizations recognizing that it’s not enough to have visibility and control within their own security postures, but they need to take a more proactive approach in understanding and influencing the security postures of the vendors with which they do business. In the recently published Forrester Consulting study commissioned by CyberGRX, “Why Isn’t Your Organization Prioritizing Third-Party Risk,” 52 percent of respondents state that improving third-party cyber risk management strategies are within their organization’s top security priorities over the next 12 months.
In a recent survey we conducted of Chief Information Security Officers, it’s evident that perception of pain points is shifting as well. Funding and buy-in from executive staff has slipped to last place, only garnering nearly 13 percent of the responses. Instead, pain points are now focused on how the program itself is managed as well as the data and the visibility it provides. Manual processes that waste precious resources are one-quarter of the source of pain, with third-party risk data being static and often not actionable coming in at 26 percent. Most telling though is more than one-third of respondents rating the approach of managing risk at the individual third party level instead of ecosystem-wide being their biggest pain point when it comes to third-party cyber risk management.
Recognizing the problem and prioritizing a solution is an important first step. But, what needs to follow is a new approach to solving this problem. Gone are the days when third-party cyber risk can be managed through risk assessments alone. Frustration levels are high, both from a third-party and first-party perspective. Instead of collaborating to reduce risk together, assessment chasing has become the goal. With this myopic focus, both sides now have unrealistic expectations that assessment completion equals improved risk management.
And even when these assessments are collected, the data is not standardized, meaning little can be done with it from an analysis point of view. Data without insight is only noise. To round out the broken state of things, we’re investing so much of our time and resources in the process and not seeing an ROI that brings us a level of confidence needed to truly believe our risk posture is improved.
A major finding of the Forrester report stated that mitigating third-party risk requires a different approach to strategy and technology. Organizations need to approach third-party risk with a new holistic, ecosystem-focused, and cybersecurity-focused strategic mindset. This includes updated third-party assessment analysis, standardized processes, and higher-quality technology solutions.
One way to begin to better understand the data surrounding third-party cyber risk and put all the assessments to work in an actionable way is by using company profiles. CyberGRX is leading the charge by harnessing the power of machine-learning. We've launched the first step in the ability to view third-party cyber risk at a portfolio level with Predictive Risk Profiles. These company-level profiles provide insight into program maturity, top risk findings, control coverage, and risk surface scores that include inherent and residual risk levels for every third party within your portfolio - without the need to complete an assessment.
The capability to do this is unique to us. We used standardized data to create and power our Exchange. This allows us to apply advanced machine learning and data analytics to our data set, something that data sets derived from customization cannot do. Because of this approach to data collection and analysis, we are able to produce unique insights across an entire portfolio of third parties. Simply put, we have enough data to be able to make our own new data.
A portfolio-wide view lets you see, measure, and reduce the overall risk across your entire third-party ecosystem. With CyberGRX, you can build an intelligent risk portfolio in order to inform where more detailed assessments and corresponding mitigations are required. Your time is better spent on analyzing data and remediating the risk discovered rather than chasing assessments. And while self-assessments are still a piece of the puzzle, they’re now not the keystone with Predictive Risk Profiles.