Webinar: Breaking Free From the Hamster Wheel of Third-Party Risk Management

Editor’s note: Looking to get more out of your Third Party Risk Management Program? Be sure to register for our upcoming webinar, “Breaking Free From the Hamster Wheel of Third-Party Risk Management”.

--

In recent years, third-party risk has been the focal point of a great number of large breaches. When they make global headlines, these events create a whirlwind of reputation damage (in addition to potential lawsuits) that can put a strangle on revenue generation.

How costly are third-party breaches? For enterprise and small business alike, the most expensive data breaches are those that result in data leaving the organization via a third-party vendor or strategic partner. Enterprise numbers come in at 1.23 million dollars per incident, and for small business the number is around $120,000. These numbers merely reflect the cost for incident recovery—the cost of reputation damage is less clear-cut.

Third-Party Risk Management

An organization manages quite a few third parties at any given time. According to Ponemon Institute, the average corporate third-party ecosystem increased from 378 in 2016 to 588 in 2018. Keeping track of the cybersecurity posture related to 588 vendors is nothing to scoff at. Our own numbers point to an average number of vendors assessed annually at 404 (ranging between 33 – 1700). Combined with the Ponemon stats, this means that all vendors may not be reviewed.

Increased investments and manpower have been allotted towards reducing vendor or partner risk via Third-Party Risk Management (TPRM) programs. In theory, these programs are designed to transfer or (at a minimum) reduce cyber risk to the organization. In our experience with clients we’ve noticed that third-party risk continues to be an issue for organizations, despite an increase in budgets and manpower toward TPRM. In many cases, it can be difficult to draw out any substantial improvements year over year. What’s the problem here?

Internal business units are siloed

We often see disparate processes around managing third-parties. In other words, one business unit may build a partnership with a third-party without insight from other key parts of the business. This may cause the business to duplicate efforts (increasing the total number of third parties), but added costs and unnecessary efforts are the least of the worry here.

Bringing in a new third party while leaving out key stakeholders can drive serious issues with compliance, legal, security, and more. For example, there may be compliance consequences for bringing in a specific third-party, causing the organization to be put in scope of a major regulation without knowing it. Worse yet, leaving out a security team member can (and typically will) drive higher levels of cyber risk.

New technologies are driving a knowledge gap for TPRM teams

It’s no secret that most organizations have adopted cloud products and services. The problem here is the knowledge gap in assessing cloud environment as the technologies offer continue to evolve. Similar third parties can use different cloud infrastructures and technologies.

Given the multitude of products and services out there, it can be challenging to discern between what is available vs. what has been contracted for. In addition, relationship change and products/services can be added or removed. If you don’t know what you are looking for specifically, you can end up with an approach that is too high-level and not necessarily helpful.

This is why it’s not uncommon for third-party questionnaires to be 50to 60 questions in length with simple yes or no answers that do not provide context into the specific third party.

If these themes are resonating with you, we would like to invite you to join our upcoming webinar, “Breaking Free From the Hamster Wheel of Third-Party Risk Management.” Attendees will walk away with an understanding of:

• How to maximize investments towards third-party risk management
• How to establish Corrective Action Plan (CAP) Management to encourage better results year over year
• Best practices for prioritizing your vendors
• Encouraging effective communication between internal stakeholders
• Achieving efficiencies out of TPRM tools

About the speaker

Haroon Tauqeer is a Senior Security Consultant within NCC Group’s Risk Management Group (RMG), providing security advisory services in the fields of risk, security management, due diligence, and compliance to industry standards. He has over 7 years of diverse experience in audit, advisory, and information security. He has been delivering compliance services in areas such as the Health Insurance Portability and Accountability Act (HIPAA), Payment Card Industry Data Security Standard (PCI), and International Organization of Standardization (ISO) 27001-2013.

Haroon has worked with clients varying in size from small start-ups to Fortune 500 companies, such as large retailers, social media clients, financial institutions, healthcare networks, etc. He is cognizant of the balance between security and compliance and understands a broad range of security concepts as they pertain to varying topics within the information security domains.