This post first appeared on Risk Management Magazine. Read the original article.
As enterprise leaders and security professionals increasingly
recognize the risks and compliance implications that cybersecurity failures pose,
the practice of third-party risk management (TPRM) continues to grow. Most
large organizations today have a formalized program in place and several
staffers dedicated to TPRM. And vendors are getting used to at least some level
of scrutiny of their security controls through security questionnaires and
other assessment methods.
The security industry has moved beyond the awareness-building
stage of addressing third-party risk, but it is also important to keep moving
forward. This is why RiskRecon and Cyentia Institute commissioned an in-depth
study that explores the current state of third-party risk management programs
and practices, based on a survey of 154 active third-party risk management
professionals.
According to The State of
the Third-Party Risk Management Report, 63% say managing
third-party risk is a growing priority for their organization. The good news is
79% of organizations have a TPRM program in place, but these programs may not
have reached maturity. For most, TPRM programs have only operated for five to
six years. While new methods are starting to prevail, 84% reported the use of
questionnaires to assess vendor security risk.
While security questionnaires are a great start to a TPRM
program, the research found that TPRM professionals increasingly do not trust
that they provide sufficient information to properly understand and act on
their third-party risk. The report found that 81% of firms report that at least
75% of vendors pass questionnaire-based assessments without exception, but on
average, only about 14% of respondents express confidence that their vendors
truly meet their security posture requirements.
Not having a complete assurance that your vendors have control
over their cyberrisk and yours can be a big issue. This is especially true because
most companies are critically dependent on these third-parties and trust them with
sensitive data and operations functions. On average, respondents said that 31%
of their vendors could cause a critical impact to their organization if
breached, while 25% said that half of their entire network could trigger severe
impacts.
Security and business leaders who want to take their TPRM
practices to the next level—both in terms of risk reduction and efficiency—must
start to make meaningful changes to how they fund and operate their programs.
The report indicates three key areas on which leadership can focus to speed up
their progression through the TPRM maturity curve:
Staffing according to the ratio of high-impact vendors to full-time employees:More than half (57%) of respondents reported that staffing levels regularly limit their ability to keep up with managing risk across their third-party portfolio, as TPRM programs typically manage 50 vendors per full-time employee. Plus, it found that one out of three TPRM programs manages more than 100 vendors per year. Additionally, 25% of programs said that severe personnel shortages made it so that their TPRM program rarely or never completed critical tasks.
Examining
the perception of staffing adequacy-based vendor-to-full time employee (FTE)
ratios, one correlation was that the ratio of FTEs tasked with managing
critical vendors—those that could materially harm the company with a breach—did
make a big impact. Respondents in teams that manage an average of five to six
critical-risk vendors per FTE always feel adequately staffed, while those
juggling 30 or more never do.
The
inference from the data is that organizations focus less on the raw number of
vendors under management per FTE and start paying greater attention to the
ratio of high-impact vendors to FTEs.
More continuous assessment:The vast majority of organizations rely heavily on limited assessment methods for judging the state of their third-party’s security posture. Approximately 84% of organizations utilize security questionnaires and 69% use documentation reviews. Not only are these methods inconsistent in digging up actionable insight—81% of organizations say their questionnaires rarely result in security remediation—but they are also conducted at a single point in time.
Organizations
that want to make gains on their TPRM program maturity should seek out ways to
collect data continuously and automatically about the potential risks lurking in
their third-party portfolio. Today around half of organizations do this through
remote assessments and cybersecurity ratings.
Adjusting scope based on good performance:One of the prevailing themes in the report is that TPRM programs are generally struggling to conduct reliable, actionable assessments at scale. One method that is becoming increasingly popular to divert strained resources to the highest risk vendors is to adjust the scope of vendor scrutiny as security performance changes. Currently, only 38% of organizations decrease scope based on performance.
For
example, an organization may require historically strong performers to only
self-assess through security questionnaires and backstop that with continuous
assessment through cybersecurity ratings. If the ratings flag a certain
threshold of findings, then that might trigger more in-depth care that could
include more frequent questionnaires, on-site assessments, remote assessments,
and other methods.
Ultimately,
TPRM will continue to advance as organizations use methods like the three
listed above to build out data-driven programs that can rapidly collect and
analyze relevant data faster to make quicker new vendor decisions and
intelligently allocate risk engagement resources toward known poor-performing
vendors and away from strong-performing ones.