Third-party risk management is an issue that keeps many chief information security officers (CISOs) and other security leaders awake at night. Third-party risk has a lot more in common with phishing than advanced persistent threats (APTs) or zero-day attacks; it’s a known issue, but there’s a huge gap between awareness and risk at the majority of organizations. There’s no shortage of reasons to get this one right, including mounting compliance pressures and the tenuous state of customer trust.
Fifty-six percent of organizations attribute security issues involving data loss to vendors or other third parties, according to a 2018 study from Opus and Ponemon Institute. While consumer awareness of data privacy issues has increased, your customers aren’t about to distinguish between your vendors and your internally managed security controls if their records are stolen or lost.
Just 35 percent of organizations rate their third-party risk management program as highly effective, and just 34 percent have a comprehensive inventory of all their vendors. Few would make the argument that the industry has a handle on third-party risk, which begs a discussion of why we’re facing this crisis in the first place.
Why Is Third-Party Risk Management Lagging?
For many organizations, poor risk management is the result of ineffective processes and a lack of resources. A recent Venminder study found that 77 percent of organizations have five or fewer employees dedicated to vendor ..