As enterprise leaders and security professionals increasingly recognize the risks and compliance implications that cybersecurity failures pose, the practice of third-party risk management (TPRM) continues to grow. Most large organizations today have a formalized program in place and several staffers dedicated to TPRM. And vendors are getting used to at least some level of scrutiny of their security controls through security questionnaires and other assessment methods.
The security industry has moved beyond the awareness-building stage of addressing third-party risk, but it is also important to keep moving forward. This is why RiskRecon and Cyentia Institute commissioned an in-depth study that explores the current state of third-party risk management programs and practices, based on a survey of 154 active third-party risk management professionals.
According to The State of the Third-Party Risk Management Report, 63% say managing third-party risk is a growing priority for their organization. The good news is 79% of organizations have a TPRM program in place, but these programs may not have reached maturity. For most, TPRM programs have only operated for five to six years. While new methods are starting to prevail, 84% reported the use of questionnaires to assess vendor security risk.
While security questionnaires are a great start to a TPRM program, the research found that TPRM professionals increasingly do not trust that they provide sufficient information to properly understand and act on their third-party risk. The report found that 81% of firms report that at least 75% of vendors pass questionnaire-based assessments without exception, but on average, only about 14% of respondents express confidence that their vendors truly meet their security posture requirements.
Not having a complete assurance that your vendors have control over their cyberrisk and yours can be a big issue. This is especially true because most companies are critically dependent on these third-parties and trust them with sensitive data and operations functions. On average, respondents said that 31% of their vendors could cause a critical impact to their organization if breached, while 25% said that half of their entire network could trigger severe impacts.
Security and business leaders who want to take their TPRM practices to the next level—both in terms of risk reduction and efficiency—must start to make meaningful changes to how they fund and operate their programs. The report indicates three key areas on which leadership can focus to speed up their progression through the TPRM maturity curve:
Staffing according to the ratio of high-impact vendors to full-time employees:More than half (57%) of respondents reported that staffing levels regularly limit their ability to keep up with managing risk across their third-party portfolio, as TPRM programs typically manage 50 vendors per full-time employee. Plus, it found that one out of three TPRM programs manages more than 100 vendors per year. Additionally, 25% of programs said that severe personnel shortages made it so that their TPRM program rarely or never completed critical tasks.
Examining the perception of staffing adequacy-based vendor-to-full time employee (FTE) ratios, one correlation was that the ratio of FTEs tasked with managing critical vendors—those that could materially harm the company with a breach—did make a big impact. Respondents in teams that manage an average of five to six critical-risk vendors per FTE always feel adequately staffed, while those juggling 30 or more never do.
The inference from the data is that organizations focus less on the raw number of vendors under management per FTE and start paying greater attention to the ratio of high-impact vendors to FTEs.
More continuous assessment:The vast majority of organizations rely heavily on limited assessment methods for judging the state of their third-party's security posture. Approximately 84% of organizations utilize security questionnaires and 69% use documentation reviews. Not only are these methods inconsistent in digging up actionable insight—81% of organizations say their questionnaires rarely result in security remediation—but they are also conducted at a single point in time.
Organizations that want to make gains on their TPRM program maturity should seek out ways to collect data continuously and automatically about the potential risks lurking in their third-party portfolio. Today around half of organizations do this through remote assessments and cybersecurity ratings.
Adjusting scope based on good performance:One of the prevailing themes in the report is that TPRM programs are generally struggling to conduct reliable, actionable assessments at scale. One method that is becoming increasingly popular to divert strained resources to the highest risk vendors is to adjust the scope of vendor scrutiny as security performance changes. Currently, only 38% of organizations decrease scope based on performance.
For example, an organization may require historically strong performers to only self-assess through security questionnaires and backstop that with continuous assessment through cybersecurity ratings. If the ratings flag a certain threshold of findings, then that might trigger more in-depth care that could include more frequent questionnaires, on-site assessments, remote assessments, and other methods. Ultimately, TPRM will continue to advance as organizations use methods like the three listed above to build out data-driven programs that can rapidly collect and analyze relevant data faster to make quicker new vendor decisions and intelligently allocate risk engagement resources toward known poor-performing vendors and away from strong-performing ones.