More than four out of five organizations have experienced business interruptions from third-parties in the last two years, despite sinking more and more money into trying to tamp down risks created by their vendors and partners, a new report by the analyst firm Gartner.
The report — based on a survey of 376 senior executives involved in third-party cybersecurity risk management (TPCRM) — is a reminder of the growing concern among security professionals about the dangers associated with third-party risk, and their struggle to get a handle on it.
Zachary Smith, Senior Principal for Research at Gartner, said in a statement that third-party risk management is often resource-intensive, overly process-oriented and has little to show for in terms of results.
“Cybersecurity teams struggle to build resilience against third party-related disruptions and to influence third party-related business decisions.”
—Zachary Smith
Matt Rose, field CISO for ReversingLabs, said organizations aren't getting the bang for the bucks they're putting into third-party cybersecurity risk management. The proof: The triple-digit rise in software supply chain attacks that have affected thousands of companies over the past few years.
"If organizations’ TPCRM programs were effective, then even if a third-party application or software package were compromised, it wouldn't cause much harm to the organization because the proper protections and resolution programs would be in place."
—Matt Rose
Demi Ben-Ari, co-founder CTO and co-founder of the third-party risk management firm Panorays, said one key reason risk management programs disappoint may be due to how they're implemented.
"Most third-party risk management efforts predominantly focus on compliance and governance and ticking boxes, which may not be sufficient to fully protect organizations."
—Demi Ben-Ari
Here are the top reasons third-party risk management programs fail — and key considerations for developing an effective risk management program.
[ Get related Gartner Report: Mitigate Enterprise Software Supply Chain Security Risks | Join Webinar: Learn key takeaways from the Gartner report ]
Checklists just don't cut it anymore
Charles Jones, a software supply chain security evangelist at ReversingLabs, said traditional methods of assessing third-party risk, such as questionnaires, are slow and resource-intensive. Additionally, the assurance that can be derived from them is weak, because they are mainly based on self-attestation from the third party itself.
As a result, organizations often spend a significant level of effort chasing their third parties with little to show for it in terms of the amount of risk reduction they are able to demonstrate.”
—Charles Jones
ReversingLabs' Rose added that the biggest challenge to managing third-party risk is that in the end, third-parties are not responsible for the security of the software and applications they produce, as has been promoted under the Cybersecurity and Infrastructure Security Agency (CISA)'s Secure by Design initiative.
“Someone else is responsible, and in a lot of cases you have to take their word for it and trust that the third party is doing the right things.”
—Matt Rose
Even if the information in the questionnaires is reliable, the documents present organizations with manual processes that can be overwhelming, and the need for manual intervention during risk assessments becomes difficult for organizations to manage as the volume of third parties increases.
"Today, large enterprises may rely on tens of thousands of third parties to operate their business. As a result, the ability to manage all of them using manual processes becomes unwieldy.”
—Charlie Jones
Unwieldy processes bog organizations down
In addition to gobbling up resources, third-party risk management can be overly process-oriented, with questionnaire-based programs and their back-and-forth cadence between software user and the software maker, Rose said.
“Typically questions come up, which leads to a lot of back and forth between many different stakeholders, which can result in a many-step process.”
—Matt Rose
James McQuiggan, a security awareness advocate at KnowBe4, said the need for consistency and accountability — especially for internal and external reporting — drives companies' emphasis on formalized procedures. Integrating risk management with other organizational processes, such as procurement and IT security, adds complexity. Even in a traditional Security Operations Center (SOC), the evolving nature of best practices and standards in risk management demands a systematic approach. With the move to automation in the SOC, complexity grows.
“This is further compounded by the technological complexities of implementing automated risk assessment and monitoring tools, which require specific processes for effective deployment and interpretation. These combined factors contribute to the process-heavy nature of [third-party risk management], as organizations strive to manage risks consistently, efficiently, and with accountability.”
—James McQuiggan
Four key components of effective risk management
Gartner noted that successful management of third-party cybersecurity risk depends on a security organization’s ability to deliver on three outcomes — resource efficiency, risk management and resilience, and influence on business decision-making. However, the analyst firm said that enterprises struggle to be effective in two out of those three outcomes, and only 6% of organizations are effective in all three.
Gartner recommended four actions that security and risk management leaders should take to increase the effectiveness of their TPCRM programs. Organizations that implemented any of these actions saw a 40-50% increase in TPCRM effectiveness:
- Regularly review how effectively third-party risks are communicated to the business owner of the third-party relationship. Chief information security officers (CISOs) need to regularly review how well the business understands their messaging around third-party risks to ensure they are providing actionable insights around those risks.
- Track third-party contract decisions to help manage risk acceptance by business owners. Business owners will often choose to engage with a third party even if they are well-informed about associated cybersecurity risks. Tracking decisions helps security teams align compensating controls for risk acceptances and alerts security teams to particularly risky business owners that may require greater cybersecurity oversight.
- Conduct third-party incident response planning, such as playbooks and tabletop exercises. Effective TPCRM goes beyond identifying and reporting cybersecurity risks. CISOs must ensure the organization has strong contingency plans in place to prepare for unexpected scenarios and to be able to recover well in the wake of an incident.
- Work with critical third parties to mature their security risk management practices as necessary. In a hyperconnected environment, a critical third-party’s risk is also an organization’s risk. Partnering with critical third parties to improve their security risk management practices helps promote transparency and collaboration.
Avoid one-size-fits-all analysis
ReversingLabs' Jones said that far too often, organizations make the mistake of building a one-size-fits-all all program to monitor third-party security risk.
“Although this may make it easy to compare the security posture of one-third party to another — an apples-to-apples comparison — it overlooks the uniqueness of the relationship, product, or service that is provided that contributes to its risk profile.”
—Charlie Jones
Jones said one-size-fits-all programs could be detrimental to the comparison of the security maturity of two third parties that are inherently different, "as it may negatively influence procurement decisions, if the comparison is built off a correlation with no significance."
Gopi Ramamoorthy, senior director of security and governance, risk, and compliance (GRC) at Symmetry Systems, said one way to avoid the one-size-fits-all trap is to implement a tiered system for assessing risk.
“The tier levels should depend on multiple metrics including business dependency, impact, failure risk factors, recovery tests, technical support, and contractual obligations."
—Gopi Ramamoorthy
Once a matured tier-level system is implemented and each third party assigned to an appropriate tier, the organization should align the processes and use appropriate system tools to monitor them, Ramamoorthy said. “This will lead to better assessment and visibility of third-party risks and eventually will have improved results in [third-party risk management].”
Visibility of risk is essential
Visibility is a top-of-mind concern among GRC, IT, and security pros, according to survey results recently released by Drata, a third-party risk management company. In Drata’s Risk Trends Report, the company found that 80% of businesses fear they don’t have full visibility into the security posture of their third-party partners. Even among businesses that have the resources for thorough third-party screening, 47% admitted they don’t have complete visibility into their third-party ecosystem.
AI to the rescue?
Organizations looking for a better return on their investment may find it as artificial intelligence (AI) begins to be integrated into third-party cybersecurity risk management solutions, said Piyush Pandey, CEO of Pathlock.
“AI can dramatically enhance the ROI in third-party risk management by automating risk assessments, enabling the rapid analysis of vast data sets to identify risks efficiently."
—Piyush Pandey
Organizations should look to solutions that provide continuous, real-time monitoring of third-party activities, providing immediate alerts, as well as dynamic access controls, to mitigate potential issues, Pandey said.
“AI should be harnessed to provide predictive analytics capabilities that allow organizations to mitigate potential risks proactively, rather than merely reacting to them, thus optimizing resource allocation and risk mitigation strategies.”
—Piyush Pandey
Panorays' Ben-Ari said AI-powered natural language processing (NLP) can help organizations quickly identify relevant terms related to security, compliance, and responsibilities during due diligence.
“By automating routine tasks, customizing risk scoring, and continuously learning from data, AI optimizes resource allocation, enhances incident response capabilities, and ultimately improves the long-term effectiveness of third-party risk management efforts. This advanced approach ensures that [third-party risk management] efforts are not only compliant but also aligned with business objectives, delivering a more significant return on investment.”
—Demi Ben-Ari
Getting a handle on risk is a essential to the business
As third-parties become increasingly integral to business operations, reducing their risks grows ever more critical. Organizations still have work to do in improving visibility, planning mitigations, and collaborating with partners.
By complementing those efforts with AI, companies may finally gain an upper hand on third-party cybersecurity risk and maximize their return on investment. The path forward lies in augmenting human intelligence with artificial intelligence to create more resilient, cyber-aware partnerships.
Article Link: Key reasons third-party risk management programs fail