New Playbook reflecting data from executives of 30 companies offers window into how organizations are confronting persistent breach risks stemming from third parties
Salt Lake City, Utah (February 12, 2018) – RiskRecon, a rapidly-growing company transforming management of third-party cyber risk, today published the inaugural Third-Party Security Risk Management Playbook. Based on in-depth interviews with security executives from 30 participating organizations across multiple industries, the Playbook reveals how companies are managing the security risks of their complex digital supply chains and sensitive business partnerships. The study identified 14 vendor-neutral capability sets comprising 72 common, emerging, and pioneering practices that firms have implemented to manage third-party security risk. As a study of real-world third-party risk management programs, the Playbook is a valuable tool executives can use to benchmark their own programs and gain insight into pioneering practices other firms are adopting.
The Playbook is a free download available here: https://www.thirdpartyplaybook.com
Key findings include:
The financial services industry is the clear leader: Financial services firms have been actively managing third-party security risk for an average of six and a half years, nearly four years longer than firms in other industries. Financial services firms also are the drivers behind more than 60 percent of the pioneering practices observed in the study.
Third-party security risk management is rapidly innovating: Thirty-two percent of the third-party risk management practices the study identified are implemented by fewer than 25 percent of the study participants. In all cases, these pioneering practices were recently implemented by the adopting firms. The practices leverage objective security data to better understand third-party risk performance and more intelligently allocate and engage risk analysts in assessments.
Pioneering firms are hunting for dangerous conditions in their third-party systems: Twenty-three percent of respondent companies are proactively identifying severe vulnerabilities in their vendors’ systems and working collaboratively with their vendors to quickly address the issues.
Fourth-party awareness is peaking over the horizon: While only seven percent of respondent firms are actively tracking fourth-parties (the third-parties used by their vendors), an additional 33 percent stated that they intend to implement capabilities to better manage fourth-party risk within two years, citing regulatory requirements as the primary driver.
“Enterprise risk officers are waking up to the reality that their information risk increasingly resides in the systems of their third-parties, beyond the bounds of their own network. You can outsource your systems and operations to third-parties, but you cannot outsource your risk,” said RiskRecon CEO and Founder Kelly White.
Brian Johnson, a CISO consultant and a former CISO of LendingClub, said, “CISOs know that effective third-party security risk management is essential for protecting their enterprise, yet many lack the data necessary to appropriately understand and prioritize third-party risk exposure. The best thinking on solving risk lies within industry, where practitioners are solving real enterprise risk problems every day. The Playbook captures these practices, providing a resource that risk managers can reference in enhancing their programs.”
The capability sets and practices described in the Playbook span three domains: Program Management, Risk Assessment, and Monitoring & Response. The Playbook shows the percentage adoption rate of each practice so that readers can quickly identify practices that are common versus pioneering. The pioneering practices, which have a less than 25 percent adoption rate, largely involve capabilities leveraging objective data to better assess and manage third-party risk performance. “Traditional methods of assessing vendor risk performance using questionnaires reveal the investments companies have made in managing risk. The pioneering use of objective data reveals how well companies implement and operate their security risk management program,” said Kelly White.
The Playbook authors discovered the initial third-party security risk management framework through roundtable discussions conducted with risk executives throughout the U.S. and the U.K. The authors then used this framework to conduct detailed interviews of executive owners of third-party risk management programs to arrive at the final Playbook.
RiskRecon’s objective for the Playbook is to provide practitioners a guide for building and operating their own third-party risk management programs, founded on the community of capabilities and practices developed by their peers. Readers interested in contributing insights and data to the next edition of the Playbook can contact firstname.lastname@example.org.
RiskRecon’s continuous monitoring solution delivers risk-prioritized action plans that enable precise, efficient elimination of your most critical third-party security gaps. Our data-driven SaaS service relies on passive, direct analysis of Internet-facing systems to quantify risks and provide straightforward evidence necessary for remediation. Rather than producing a laundry list of issues, RiskRecon’s custom analytics quantify true risk by determining each system’s issue severity and asset value. Only RiskRecon enables you to build a scalable, third-party risk reduction program that compresses remediation cycle time, improves analyst productivity, and ensures constructive vendor collaboration. Learn more at www.riskrecon.com