Editor's Note: This article was originally published on www.helpnetsecurity.com.
COVID-19 has increased organizational focus on third-party risk management (TPRM) for 83% of companies, a recent study reveals. Yet, only 40% of organizations report expanding their TPRM programs as a result.
More concerning is that 44% of companies report not actively tracking supply chain risks, which were the primary pandemic-related third-party risk management impact.
To select a suitable third-party risk management solution for your business, you need to think about a variety of factors. We’ve talked to industry professionals to get their insight on the topic.
Organizations rely on an ever-increasing number of external third parties for the provision of key services and support. At the same time, the risks from the supply chain have never been more perilous, with growing risks in the areas of cybersecurity, bribery and corruption, finance, geopolitics, and more.
Businesses should seek a solution that can handle the associated volume of data and complexity by automating the tasks needed to provide a holistic view of the risk to the enterprise—one that will support the organization’s current TPRM program but also enable it to evolve over time based on future needs.
New generation solutions that incorporate AI and Natural Language Processing (NLP) can cut down the due diligence labor costs and dramatically reduce time of manual tasks. AI is uniquely able to handle and evaluate unstructured data, enabling these solutions to extract data from questionnaires, evidence documents and external data sources (financial, cyber, lists) and turn it into actionable insights about the potential organization’s risk exposure to services, fourth parties, people, locations and other risks. These scalable solutions provide true automated, continuous monitoring from any data sources and provide maximum visibility into risk in real time.
Addressing today’s rapidly growing cybersecurity challenges requires more than annual point-in-time security assessments, which do not include adequate pre-contract or post contract diligence, and do not consider evolving corporate policies that include environmental and social governance, ethics and diversity. Organizations need to develop comprehensive TPRM programs to meet regulatory compliance and deepen IT security controls.
Organizations should look for solutions with built-in intelligence that automates and harmonizes assessments to satisfy the needs of various teams including security, procurement, legal and compliance. Security, compliance and operational issues can develop at any time during a vendor or supplier relationship, so it’s important to address risk at each stage of the third-party lifecycle. Vendors must be capable of unifying and normalizing monitoring data to correlate it against risk assessment findings.
For organizations that lack the resources or skill sets to scale their TPRM programs, organizations need to examine vendors with TPRM experts that can manage the vendor lifecycle on their behalf – from onboarding vendors and collecting evidence, to reviewing assessments for completeness, identifying risks and providing remediation guidance. It is essential for organizations to have a flexible solution that allows them to scale and mature their third-party programs over time.
The first question to ask when considering a TPRM solution is what are you looking to accomplish? If you are just looking to get a quick, high level view of the landscape, then some of the risk rating tools can be helpful and require relatively little work to stand up.
On the other end of the spectrum, if you have a small set of vendors with very specific controls you would like to look at, there are tools to help you customize a questionnaire and collect that data. It is much more labor intensive, but allows for a completely tailored solution.
The majority of companies out there are looking for something in between. Scalable to cover their ecosystem, yet with enough detail to effectively manage risk. This is typically achieved through one of the newer risk utilities that share previously completed assessments.
The ideal situation is when the utility has standardized the information to allow for broader portfolio analysis or risk modeling. This is where you can gain confidence that you understand the landscape and are focusing on the risks that matter most.
Third-party risk managers should review the goods or services their business provides, how third parties support different functions of the business, what processes they’re involved in and what data they touch. Understanding and organizing these different uses of third parties will help determine the key capabilities to look for in a solution.
Then, the manager can match a solution to their needs. One capability to search for is flexibility – a solution should change with evolving business needs. To evaluate longevity, managers can ask questions like, “what is my rollout plan for implementation?” or, “how will I support the solution post-implementation?”
Managers should also look for a solution that fully integrates with distinct risk processes (e.g. IT), and deep, purpose-built functionality that allows for due diligence and continuous monitoring – the riskiest parts of the lifecycle. Additionally, TPRM solutions should incorporate ESG management, specifically issues related to various emission types, as well as diversity, equity and inclusion.
Perhaps the most important step, though, is gaining support across the organization for a solution. When building their case, managers should showcase how a solution will solve problems – in both qualitative and quantitative terms, and in the appropriate terminology for different areas of the business.
As third-party networks expand quickly, businesses need flexible, scalable solutions to help manage it all. Additionally, up to 50 percent of a large organization’s total workforce is outsourced and contracted, creating risk and security concerns when managing a growing spider-web of third-party risk.
TPRM solutions help centralize the processes needed to capitalize on the potential upside of vendor relationships. Because, when successful, these relationships greatly increase company-wide efficiency and generate revenue.
When selecting a solution, businesses should prioritize automation, quality integrations, and risk quantification capabilities. Without these features, disparate systems, out-of-date data, and inconsistent policies can impede a company’s ability to modernize its TPRM program. Outdated ‘solutions’ result in lost opportunities to drive revenue and lead to future avoidable roadblocks.
Companies evaluating third-party risk management solutions should verify that the solution offers the flexibility to standardize workflow needed for vendor onboarding, especially procurement and legal. Even just one misaligned step can result in vulnerabilities, such as security, compliance and reputational risks.
Standardized workflow implemented through the solution enables better operational practices. With it, businesses are able to identify potential vulnerabilities more quickly and better align overall decision-making.
TPRM can be complex and costly but it is a key aspect of any comprehensive risk management framework. Keep in mind that your organization may be liable in the event of a third-party provider data breach. At minimum, your solution should include:
1. A vendor inventory that can easily identify the risk associated with the third party based on the exposure of your sensitive data and systems to that third party. Considerations such as supervised versus unsupervised access, incidental versus continuous access to internal systems, can help determine the inherent risk associated with the third party and the type of surveillance necessary to mitigate that risk.
2. The ability to define workflows based on risk. Third parties should be categorized separately and require a certain set of controls/evaluations to be performed depending on the specific category that the vendor belongs to.
3. Automated mechanisms to handle security questionnaires and responses; ideally, a mechanism to automatically parse responses and score them according to risk tolerance.
4. Automated weekly/monthly surveillance of digital assets and threat intelligence for third parties in your inventory, generating alerts if significant and relevant changes in their security profiles happen.
5. Manual reviews – assess whether or not reviews can be done for the specific risk framework that your organization selects.
As the number of cyberattacks connected to third-party risk rises, CISOs need smarter, faster, and easier ways of understanding, monitoring, and acting on their third-party cyber risk posture. Utilizing a TPRM solution is the best way to get complete insight into your risk posture while providing the resources to quickly understand and act on the risks that threaten your organization.
If you are looking to engage with a TPRM solution for the first time or are re-evaluating your current vendor, the most important aspect is ensuring they are proactively protecting your business from third-party cyber risks, by providing an accurate and timely picture of your entire digital ecosystem as it expands exponentially and grows increasingly connected.
Traditional assessments like questionnaires do not scale for today’s business climate. A tool that continuously monitors your third-party ecosystem can bring your organization a new level of risk visibility with accurate, real-time data. Without continuous monitoring, a breach could happen without detection for months – creating a business issue that could have been mitigated with proper visibility and response.
To find the best solution for your organization, do your research and ask questions to ensure what they offer drives value and efficiency, and meets your overall business needs.