More than 80% of organizations in the last two years have experienced business interruptions caused by third parties, despite their investments in trying to tamp down risks created by their vendors and partners, a new report by the analyst firm Gartner says.
The report, based on a survey of 376 senior executives involved in third-party cybersecurity risk management (TPCRM), arrives at a time when security professionals are increasingly concerned about the dangers associated with third-party risk and are struggling to get a handle on it.
Zachary Smith, senior principal for research at Gartner, said in a statement that third-party risk management is often resource-intensive, overly process-oriented, and short on results.
“Cybersecurity teams struggle to build resilience against third party–related disruptions and to influence third party–related business decisions.”
—Zachary Smith
Matt Rose, field CISO for ReversingLabs, said organizations aren't getting the bang for the bucks they're putting into TPCRM. The proof? The triple-digit rise in software supply chain attacks, which have affected thousands of companies over the past few years.
"If organizations’ TPCRM programs were effective, then even if a third-party application or software package were compromised, it wouldn't cause much harm to the organization because the proper protections and resolution programs would be in place."
—Matt Rose
Demi Ben-Ari, CTO and co-founder of the TPCRM firm Panorays, said one key reason risk management programs disappoint may be how they're implemented.
"Most third-party risk management efforts predominantly focus on compliance and governance and ticking boxes, which may not be sufficient to fully protect organizations."
—Demi Ben-Ari
Here are the top reasons TPCRM programs fail — and key considerations for developing an effective risk management program.
[ Get related Gartner Report: Mitigate Enterprise Software Supply Chain Security Risks | Join Webinar: Learn key takeaways from the Gartner report ]
Checklists just don't cut it anymore
Charles Jones, software supply chain security evangelist at ReversingLabs, said traditional methods of assessing third-party risk, such as questionnaires, are slow and resource-intensive. Additionally, the assurance that can be derived from them is weak, because they are mainly based on self-attestation from the third party itself.
As a result, organizations often spend a significant level of effort chasing their third parties, with little to show for it in terms of the amount of risk reduction they are able to demonstrate.”
—Charles Jones
ReversingLabs' Rose added that the biggest challenge to managing third-party risk is that, in the end, third parties are not responsible for the security of the software and applications they produce, despite the Secure by Design initiative of the Cybersecurity and Infrastructure Security Agency.
“Someone else is responsible, and in a lot of cases you have to take their word for it and trust that the third party is doing the right things.”
—Matt Rose
Even if the information in the questionnaires is reliable, the manual processes of producing them and intervening during risk assessments can be overwhelming for organizations to manage as the volume of third parties increases.
"Today, large enterprises may rely on tens of thousands of third parties to operate their business. As a result, the ability to manage all of them using manual processes becomes unwieldy.”
—Charles Jones
Unwieldy processes bog organizations down
In addition, questionnaire-based TPCRM programs can be overly process-oriented, Rose said.
“Typically, questions come up, which leads to a lot of back and forth between many different stakeholders, which can result in a many-step process.”
—Matt Rose
James McQuiggan, a security awareness advocate at KnowBe4, said the need for consistency and accountability, especially for internal and external reporting, drives companies' emphasis on formalized procedures. Integrating risk management with other organizational processes, such as procurement and IT security, adds complexity. Even in a traditional security operations center (SOC), the evolving nature of best practices and standards in risk management demands a systematic approach. With the move to automation in the SOC, complexity grows.
“This is further compounded by the technological complexities of implementing automated risk assessment and monitoring tools, which require specific processes for effective deployment and interpretation. These combined factors contribute to the process-heavy nature of TPCRM, as organizations strive to manage risks consistently, efficiently, and with accountability.”
—James McQuiggan
Four key components of effective risk management
Gartner noted that successful TPCRM depends on a security organization’s ability to influence overall business decision making and to deliver on three outcomes: resource efficiency, risk management, and resilience. However, the report says that enterprises struggle to be effective in two out of those three outcomes and that only 6% of organizations are effective in all three.
Gartner recommends four actions that security and risk management leaders should take to increase the effectiveness of their TPCRM programs, adding that organizations that have implemented any of these actions saw a 40% to 50% increase in TPCRM effectiveness:
- Regularly review how effectively third-party risks are communicated to the business owner of the third-party relationship. Chief information security officers (CISOs) need to regularly review how well the business understands their messaging around third-party risks to ensure they are providing actionable insights around those risks.
- Track third-party contract decisions to help manage risk acceptance by business owners. Business owners will often choose to engage with a third party even if they are well-informed about associated cybersecurity risks. Tracking decisions helps security teams align compensating controls for risk acceptances and alerts security teams to particularly risky business owners that may require greater cybersecurity oversight.
- Conduct third-party incident response planning, such as playbooks and tabletop exercises. Effective TPCRM goes beyond identifying and reporting cybersecurity risks. CISOs must ensure that the organization has strong contingency plans in place to prepare for unexpected scenarios and to be able to recover well in the wake of an incident.
- Work with critical third parties to mature their security risk management practices as necessary. In a hyperconnected environment, a critical third party’s risk is also an organization’s risk. Partnering with critical third parties to improve their security risk management practices helps promote transparency and collaboration.
Avoid one-size-fits-all analysis
ReversingLabs' Jones said that, far too often, organizations make the mistake of building a one-size-fits-all all program to monitor third-party security risk.
“Although this may make it easy to compare the security posture of one-third party to another — an apples-to-apples comparison — it overlooks the uniqueness of the relationship, product, or service that is provided that contributes to its risk profile.”
—Charles Jones
Jones said one-size-fits-all programs could be detrimental to the comparison of the security maturity of two third parties that are inherently different because "it may negatively influence procurement decisions if the comparison is built off a correlation with no significance."
Gopi Ramamoorthy, senior director of security and of governance, risk, and compliance (GRC) at Symmetry Systems, said one way to avoid the one-size-fits-all trap is to implement a tiered system for assessing risk.
“The tier levels should depend on multiple metrics, including business dependency, impact, failure risk factors, recovery tests, technical support, and contractual obligations."
—Gopi Ramamoorthy
Once a matured tier-level system is implemented and each third party has been assigned to an appropriate tier, the organization should align the processes and use appropriate system tools to monitor them, Ramamoorthy said. “This will lead to better assessment and visibility of third-party risks and eventually will have improved results in TPCRM,” he added.
Visibility of risk is essential
Visibility is a top-of-mind concern among GRC, IT, and security pros, according to survey results recently released by Drata, a TPCRM company. In its Risk Trends Report, Drata found that 80% of businesses are concerned that they don’t have full visibility into the security posture of their third-party partners. Even among businesses that have the resources for thorough third-party screening, 47% acknowledged that they don’t have complete visibility into their third-party ecosystem.
AI to the rescue?
Organizations looking for a better return on their investment may find it as artificial intelligence begins to be integrated into third-party cybersecurity risk management solutions, said Piyush Pandey, CEO of Pathlock.
“AI can dramatically enhance the ROI in third-party risk management by automating risk assessments, enabling the rapid analysis of vast datasets to identify risks efficiently."
—Piyush Pandey
Organizations should look to solutions that provide continuous, real-time monitoring of third-party activities, providing immediate alerts, as well as dynamic access controls, to mitigate potential issues, Pandey said.
“AI should be harnessed to provide predictive analytics capabilities that allow organizations to mitigate potential risks proactively, rather than merely reacting to them, thus optimizing resource allocation and risk mitigation strategies.”
—Piyush Pandey
Panorays' Ben-Ari said AI-powered natural language processing (NLP) can help organizations quickly identify relevant terms related to security, compliance, and responsibilities during due diligence.
“By automating routine tasks, customizing risk scoring, and continuously learning from data, AI optimizes resource allocation, enhances incident response capabilities, and ultimately improves the long-term effectiveness of third-party risk management efforts. This advanced approach ensures that TPCRM efforts are not only compliant but also aligned with business objectives, delivering a more significant return on investment.”
—Demi Ben-Ari
Getting a handle on risk is essential to the business
As third parties become increasingly integral to business operations, reducing their risks grows ever more critical. Organizations still have work to do in improving visibility, planning mitigations, and collaborating with partners.
By complementing those efforts with AI, companies may finally gain an upper hand on third-party cybersecurity risk and maximize their ROI. The path forward lies in augmenting human intelligence with AI to create more resilient, cyber-aware partnerships.
