6 best practices for third-party risk management

CISOs have good reason to rank third-party risk as a top concern: their organizations engage with a growing number of third parties providing an ever-expanding range of services. While reputable providers certainly prioritize security, bringing products developed outside a business inside the company perimeter increases the chance of importing a threat. “Third-party risk is a major threat because it only takes one partner with poor security to put your own company at risk — and as a CISO, you own that risk,” says cybersecurity consultant Gerald Auger, a faculty member at The Citadel military college.

Recent research helps quantify the security threats that CISOs and their organizations face from third parties. For example, a 2023 RSA Conference report found that 87% of the responding CISOs had been affected by a significant cyber incident that originated at a third party in the preceding 12 months. A 2022 study from SecurityScorecard and the research firm Cyentia Institute reported that 98% of organizations had vendor relationships with at least one third party that had experienced a breach in the prior two years.

Third-party risk tops the threat lists of many executives

The “Executive Perspectives on Top Risks” survey from consultancy Protiviti found that the topic of third-party risks was the No. 4 risk for 2024 among the more than 1,000 directors and senior executives from the globe polled for the report; those same leaders put third-party risk at No. 6 on their list of anticipated risks for 2034. Clearly, third-party risks aren’t expected to be mitigated any time soon. If anything, the interconnected nature of the digital economy, the increasing enterprise reliance on outsourced service providers, the proliferation of cloud-based open-source software repositories, and the growing ingenuity of bad actors are increasing the threat level.

It’s a lot for CISOs to manage, experts acknowledge. “The risk always falls back to the CISOs, CIOs, and the executive team. So, you need to do everything you can in your power to protect yourself,” says Matthew Mettenheimer, an associate director in the cybersecurity practice of consultancy S-RM.

To that end, Mettenheimer and seven other security consultants, executives, and researchers shared six best practices for an effective third-party risk management program.

1. Align the executive team around all third-party risks

The risks presented by third parties encompass more than cybersecurity threats and the security threats posed by third parties can impact all parts of the organization — including its ability to operate, says Alla Valente, a Forrester Research senior analyst focused on security and risk.

Yet many organizations — particularly those without a chief risk officer — don’t take a comprehensive approach to managing those risks, Valente and other experts say. Rather, they will take a siloed approach; the CISO handles cybersecurity-related third-party risks and other executives take responsibility for those that might impact their respective functions. Such an approach can create blind spots and gaps, Valente says, adding that “one of the main challenges of third-party risks today is there is no single team that owns those.”

Valente and others say CISOs can — and should — take the lead in educating the board and the executive team on the cascading and interrelated nature that third-party risks create for the organization. In other words, CISOs should strive to get enterprise leaders to see how a third-party cyber incident could create a security issue at their own organization and lead to lost business, regulatory fines, and reputational damage.

“The executive team needs to understand why third-party risk management is important; because that’s where success in managing risk starts — with the board and in the C-suite,” says Shawn Murray, president of the Information Systems Security Association (ISSA), a not-for-profit international organization of information security professionals and practitioners.

2. Establish a third-party risk management program

Another critical step for the successful management of third-party risks is building a programmatic approach to the task, with a governance structure that establishes processes and standards that can be repeatably applied to numerous third parties. Mettenheimer says an effective third-party risk management (TPRM) program should be unique to each organization to ensure that how that organization assesses third parties and the risks they present aligns with the organization’s regulatory requirements, data protection requirements, and risk tolerance.

A helpful strategy here is to use a rubric to understand and classify third parties based on the risks they present, says Fred Rica, a partner in the advisory practice at the professional services firm BPM. A rubric could, for example, be used to rank third parties as low, medium, and high. A rubric also allows organizations to efficiently identify the level of assessments and mitigating controls required for each third party, with those labeled high receiving the most scrutiny and most mitigations.

Third-party risk management frameworks and software further help CISOs and their executive colleagues to establish programmatic approaches to TPRM, experts add. However, as helpful as those moves may be, studies show many organizations have yet to take such steps. For example, the 2024 CISO Survey from Panorays, a third-party security risk management software maker, found that 94% of CISOs were concerned with third-party cybersecurity threats but only 3% had implemented a third-party cyber risk management solution at their organizations.

3. Build an accurate, comprehensive, up-to-date inventory of third parties

CISOs can’t adequately manage third-party security threats when they do not have a complete picture of the third parties within their organization, says Murray, who is also president and CAO at Murray Security Services. This may seem like an obvious point, but Murray and others say this is a particularly challenging task as an increasing amount of technology is now deployed by business units instead of a centralized IT function committed to inventorying all tech assets. So, CISOs need to implement strategies for identifying and maintaining an accurate, comprehensive, and up-to-date inventory of the third parties whose security risks must be assessed and managed, Murray says.

There are certainly software solutions that help here, but Valente advises CISOs to build in other steps to help ferret out problems at third parties. For example, she says CISOs can work with the finance department to review recurring payments (including those on corporate credit cards) to identify new software subscriptions that were bought without involving the organization’s procurement department and, thus, haven’t yet been added to the inventory list.

4. Create effective, efficient assessment processes

Identifying and inventorying third parties is only the beginning. After that, CISOs must work to understand what security threats they could possibly present — a much more daunting task. “CISOs have to do assessments, but those assessments can’t be so lengthy that CISOs can’t get them done,” Valente says. Similarly, she says CISOs cannot — nor should they try — to apply the most rigorous assessment to each third party; that would be a Sisyphean task. Instead, she and others advise CISOs to develop methods for identifying those third parties requiring the most rigorous assessments and those requiring a less involved review.

Valente cautions organizations against using the cost of a third party as the yardstick for an assessment’s rigor, as some third-party services may cost a lot but present low security risks. Rather, an assessment’s level of rigor should be tied to the sensitivity of data that the third party will handle, its criticality to operations, and the level of technical integration involved in the relationship.

Furthermore, Valente recommends that CISOs create assessments that can easily and quickly flag potential security issues at third parties that would then trigger a deeper dive into their security practices. “Find the questions that are going to give you the red flags,” she tells CSO.

Valente explains that asking third parties how often they test their business continuity plans, for example, or whether they have a dedicated incident response team can help CIOs gauge the maturity of those third parties’ security programs. This in turn can help CISOs determine whether a third party has the minimum required security in place to warrant moving a contract with it forward — or whether a third party should be quickly disqualified from consideration because it can’t even pass the initial screening. Valente notes that CISOs have a lot of room for improvement with their assessment processes. She points to Forrester research, which has found that fewer than 50% of risk decision-makers said their organizations assess all third parties while 10% said they only assess the third parties they’re explicitly asked to assess.

5. Leverage the third-party contracting process to benefit security

When security assessments happen also matters, according to experts. Those security checks on third parties — whether supplier, vendors, or partners — typically happen during procurement, says Tim Witos, vice president of information security and risk management at McKesson, a healthcare and healthcare tech company. Too often the assessments come at the tail end of the process, when much of the negotiation is done, leaving CISOs with little to no leverage.

“Most organizations at best have language about security requirements that are reviewed at signing,” says Witos, who also serves as a council member with the Health 3PT Initiative, a collaborative of care providers, health systems and other healthcare organizations focused on reducing third-party information security risk with more reliable and consistent assurances.

CISOs would do well to get involved early in the procurement process, Witos and others say. They say CISOs should start by educating leaders within their organizations on what security elements will be required of any third parties. CISOs also should communicate early to potential vendors and partners what security standards they’ll have to have in order to ink any deals with the organization.

“We [CISOs] sometimes fail to have a conversation about what we expect,” Witos adds. “So set the expectations of what you’re looking for and why early; understand what you’re looking for a vendor to have when it comes to security. Make your legal team, your sourcing and your procurement team aware of the security requirements you want from your suppliers and explain that those must go into the contracts. Then write up those requirements in a way that the suppliers can understand them.”

Moreover, Witos and others say CISOs should include additional specifics in their third-party contracts to ensure they’re effectively managing third-party risks. Those specifics include requirements for how quickly the third party must notify the CISO (or a designee) if there is a cyber incident and what information the third party will supply. They should also include a clear articulation of what security aspects the third party will handle and which the organization will own, Mettenheimer says. “Know what your vendors are on the hook for. We see time and time again that organizations and CISOs will agree to a contract and believe that a certain level of security is in place [only to learn that] that extra level of security isn’t included in the vendor’s baseline contract.”

Another specific requirement a CISO should demand is the name and contact information of the third party’s security leaders so that the CISO can reach them in case of an event (rather than trying to work through account managers who likely won’t be of much help if there’s a cyberattack).

6. Make third-party risk management an ongoing exercise

Managing the risks presented by third parties doesn’t end once those contracts are signed, says Paul Kooney, who as a managing director at consulting firm Protiviti focuses on innovative third-party risk management program development as well as cybersecurity and privacy compliance. He says organizations with the most effective, and most mature, TPRM programs create ones that are continuous in nature so that they can identify and mitigate risks as they arise throughout the organization’s relationship with each third party.

Rica adds: “Third-party risk management is a process; it’s not an event. Many are very good about that initial assessment. They’re very thorough, they get the required documents, but then they forget about it. They don’t have any way to go back to see if the risks are the same, whether they’ve changed, or whether they need to change the controls. This is where things often fall apart.”

As such, Kooney, Rica, and others advise CISOs to monitor for compliance with contractual requirements continuously and to identify adjustments and updates that may need to be required, noting that third-party risk management program software and automation can support the security teams doing this work while keeping them from being overwhelmed by the task.

Business IT Alignment, Data and Information Security, Risk Management, Security Practices, Threat and Vulnerability Management

Go to Source