Debunking Common Misconceptions about Third-Party Risk Management

Written by

High-profile data breaches that originated in third-party networks continue to make news headlines across the globe – like Fiserv, Sears, Delta, Saks, Lord & Taylor and many more. As a result, organizations everywhere are paying closer attention to the security of their third-party vendors and contractors and developing third-party risk management (TPRM) programs to help them avoid becoming the next breach victim. 

A TPRM program is an important defense against encroaching cyber threats. However, it’s even more important that businesses implement the right program in order to effectively protect themselves – and that starts with having the TPRM facts straight. 

From network size requirements and compliance factors, to vendor communications and data sources, several misconceptions about managing a third-party risk program have emerged in recent years. 

Misconception #1: TPRM is only required for companies with a massive vendor network
Some believe that the more vendors an organization has, the higher the probability of breach; but it only takes one vendor to cause a breach. All organizations have sensitive data to protect and need to consider the risk implications of working with third parties.

Security leaders need to understand their entire third-party ecosystem and which of their vendors interact with sensitive data. The process is easier for organizations with fewer third parties, but it should not be overlooked, regardless of company or third-party network size.

Misconception #2: TPRM is not a board-level issue
By 2020, 75% of Global Fortune 500 companies will treat vendor risk management as a board-level initiative, according to Gartner. Not involving the board in TPRM decisions could lead to lack of support and resources. A successful program will have buy-in from the board and report TPRM initiatives on an ongoing basis. 

Misconception #3: Compliance is the #1 goal of any TPRM program
While compliance is important, and it should be a goal of TPRM programs, it shouldn’t be the only goal. Maintaining compliance doesn’t ensure the safety of data. Global and regional cybersecurity regulations are great to align with, but they only ensure the minimum acceptable standards. TPRM programs should focus on risk management, rather than a simple “check the box” approach.

Additionally, regulations are updated infrequently, but risk is constantly evolving. Even if updated regulations were passed within the last year, there are likely countless new risks that have emerged since. Ongoing research and continuous monitoring are needed to have a strong and effective TPRM program.

Misconception #4: Longer vendor questionnaires lead to increased security
Traditionally, to assess the security performance of vendors, organizations use cyber risk questionnaires. As the cyber threat landscape becomes more complex, there’s an impulse to simply make questions lengthier in an attempt to be more comprehensive. The reality is that these lengthy questionnaires are more irritating for vendors to complete and even more difficult to analyze.

A better approach is to tier suppliers based on potential risk and supplement questionnaires with continuous monitoring data. This reduces the number of questions they need to ask their third parties, making their TPRM programs more efficient and effective overall.

Misconception #5: Organizations can’t influence their third parties’ cybersecurity practices
Security leaders have many tools at their disposal to influence the security performance of their vendors. For most businesses, the most effective way to influence third parties is through contractual obligations. With quantifiable measurements of security performance, organizations can include precise KPIs in contracts.

Sometimes, simply making them aware of their security missteps or vulnerabilities is enough to inspire change. Many vendors are unaware of their cyber risks, and offering a solution based on data may lead to action to fix the issue, protecting both businesses and fostering a more collaborative relationship. 

Misconception #6: It’s impossible to have a totally up-to-date view of a third-party’s cybersecurity posture
Tools like questionnaires, penetration tests and on-site visits only give a view of security performance at one point in time. In between these assessments, a multitude of new security threats will emerge, and the vendor’s security practices could change. Using continuous monitoring can fill these gaps with near real-time updates. This can give security leaders a more rounded view of their third parties’ risk posture at any point in time. 

A data breach affecting third-party IT infrastructure can cost businesses upwards of several million dollars, and organizations can no longer afford to mishandle third-party risk. By bucking these misconceptions and focusing on continuous monitoring, approaching third-party security performance from a place of collaboration, and making third-party risk a board-level issue, organizations will put themselves on a path to a stronger and more effective TPRM program that evolves as quickly as the latest threats do.

What’s hot on Infosecurity Magazine?