NEW BRIEFING PAPER Best Practices for Reducing Third Party Risk

Just the Facts, Ma’am

April 6th, 2016


One of my first manager’s favorite aphorisms was “if I had more time, I’d write you a shorter letter.” I personally experienced a variation of this theme in college, as I found there was an inverse correlation between the length of my essay exam answers and my knowledge/confidence in the answer; the more I knew about the subject, the shorter my answer, while I did my best to blind the professor with words when I had no idea what I was talking about.

Today, the cyber security world is awash in data, as today’s technology makes it very easy to collect mountains of it. And, unless useful insights can be gleaned from that sea of data, it’s utterly useless, and can be counter-productive. This reality was reinforced by the results of a question we posed to the attendees of a webinar we hosted recently on business continuity and the role of third party vendors in the supply and operations chain. 

We asked a relatively simple question to an audience comprising professionals familiar with third party/vendor risk: “What are your biggest challenges to managing your third-party relationships?” The most popular answer was “Quantifying Risk Levels”, as 57% of the respondents’ identified this challenge as their most pressing. And when you think about it, that result makes sense. Organizations can request and collect endless data – evidence – from their vendors, all financially motivated to make their customer happy and comfortable with their security plans and corporate stability: cyber insurance policies, deployed security technologies, data encryption details, security policies and employee training plans, etc. Gathering the data can be tedious, but it’s the easy part. Converting it to useful information is what matters. Ultimately, organizations need to know what story all this data tells. Where are the highest risk vendors? Which ones need to be assessed more frequently? How is this changing in light of recent events? Which vendors need more attention given the intimacy of their relationship with your organization?

And all this ultimately comes down to putting a value on the risk… a number. Translating all that data – delivered in a multitude of formats like Word Documents, Spreadsheets, answers to questions, etc. – into a quantified risk level is where the rubber meets the road.

Prevalent not only automates the process… we do the math.