There are a number of difficulties common to and faced by most organizations when implementing and executing a third-party risk management program. Most are related to factors that are often intrinsic to the operation of such organizations in their sectors or the operations of their third parties, being beyond the control of the contracting organizations.
Often, the internal commercial processes overlap with the compliance ones, making the contracting of a third party and even the integration of its systems with those of the contracting party, even before a survey process or a cybernetic due-diligence. . No wonder that 65% of surveyed organizations don’t know which third parties have access to their most confidential data because, often, these third parties do not go through any kind of questioning, research or process survey, until it is too late.
One of the biggest challenges for Information Security and risk management teams today is third-party risk tracking, which can be the biggest challenge faced by such teams. The lack of access and, consequently, visibility is very detrimental to the assessment of potential risks and strategic decision-making. Since it is very difficult to see organizations disclosing the lack of security practices, this process can become very difficult, being carried out only within the reach that someone would normally have outside.
But after all, what are the main challenges common to most Information Security teams when it comes to third-party risk management? We list below the most frequently reported:
Visibility
Traditional risk assessment methodologies such as penetration testing, Information Security questionnaires and site visits are time consuming, timely, expensive and generally rely on subjective assessments. In addition, it can be difficult (or close to impossible) to verify a vendor’s claims about its Information Security controls.
Even if a questionnaire reveals the effectiveness of a given vendor’s Information Security controls, it will only do so at that point in time. The IT infrastructure is constantly changing in most organizations and therefore such questionnaires may not reflect current realities months from now.
For these reasons and more, many organizations are using Information Security ratings alongside traditional risk assessment techniques. By making use of Information Security ratings, in conjunction with existing third-party risk management techniques, risk management teams can obtain and consolidate objective, up-to-date, and verifiable information regarding a vendor’s Information Security controls.
According to consultancy Gartner, cyber Information Security ratings will become as important as credit ratings when assessing the risk of new and existing business relationships. In addition, the services will have expanded their scope to evaluate other areas such as cyber insurance, due diligence for M&A and even as a raw metric for internal Information Security programs.
Consistency
Third party risk management processes do not always take into account all third and fourth parties in a chain, which means that not all third parties are monitored and, when they are, they are not held to the same standard as others.
While it’s good, and even recommended, to evaluate critical suppliers more intensively and thoroughly than non-critical suppliers, it’s still important to evaluate all suppliers against the same standardized minimum checks to ensure that nothing is overlooked.
Speed
It’s no secret that getting a supplier to complete an Information Security questionnaire and process the results can be a delicate, difficult and time-consuming process. This process tends to worsen significantly when questionnaires come in the form of long spreadsheets without version control, resulting in a process prone to errors, time-consuming and impractical, since it is not scaled.
Depth
Many organizations make the mistake of believing that they don’t need to monitor low-risk third parties, such as marketing tools or cleaning services. In today’s world, you need to monitor all vendors, which is why most companies use a variety of processes and tools for exposure surface discovery.
Business Context
Many organizations fail miserably to provide context around their assessment, although different types of supplier relationships (even with the same supplier) can pose different levels of risk. For example, one supplier may only be used to transfer non-confidential information, such as blog posts, while another supplier may handle, store and process your customer’s confidential data.
While securing one may not be a priority, taking steps to mitigate any risks associated with the latter is critical as they pose a significant joint risk to the contracting organization and the privacy of its customers.
One of the ways to resolve this issue is the labeling of third parties according to criticality, always taking into account prioritization based on the business context, allowing Information Security teams to focus first on the biggest threats and make effective use of your time and resources.
Traceability
Large organizations often maintain relationships with hundreds or even thousands of third parties and keeping track of them can be a challenge. It is important to closely monitor who your suppliers are, to whom the Information Security related questionnaires were sent and, finally, how many, by whom and when the questionnaires were completed.
Involvement
Communicating the importance of Information Security, especially to suppliers with a short contracting time who may have different perspectives and goals from the contracting organization, is something very difficult. It is not uncommon for an organization with maturity in Information Security to have to manage and monitor these processes for weeks, or even months, until a supplier responds to a questionnaire.
