Risk Assessments/Management

How top CISOs are transforming third-party risk management

Exclusive Insights from the RSAC Executive Security Action Forum (ESAF)

As a forum for candid discussion among peers, ESAF sessions are confidential, invitation-only, and limited to a select group of senior-most information security and risk executives. This year ESAF is celebrating its 20th anniversary. They are marking this occasion by sharing some hard-earned wisdom with the broader cybersecurity community through a series of reports on topics of interest to all information security executives. Through these reports, we aim to help all organizations improve the management of cyber risks.

What follows is an excerpt from the RSAC ESAF’s latest report on managing the challenges of third-party risk management:

The consensus in the ESAF community of CISOs is that traditional third-party risk management
in information security is ineffective. Traditional methods, centered around self-assessment questionnaires and cybersecurity ratings, do not provide an accurate picture of third-party risk nor reduce risk.

The need for change is growing more urgent as attackers increasingly target third parties. In a recent survey, RSA Conference found that 87% of Fortune 1000 companies were affected by a significant cyber incident at a third party in the past 12 months.

Third-party incidents can have a huge impact on the bottom line . If a supplier or business
partner is hit with a cyber attack, it can disrupt the company’s operations and/or expose the company’s customer data or intellectual property. Attackers can also use third-party access as a route to infiltrate the company’s network.

Although third-party risk management needs an overhaul, fixing it can seem like an intractable problem. Traditional approaches have become entrenched as standard practice, so companies are under pressure to continue using them even though they are ineffective.

Motivated by escalating risks, CISOs within the ESAF community are taking bold new approaches. These include establishing top priority security requirements, setting deadlines to implement controls, adding enforcements to contracts, helping third parties obtain security technologies and services, increasing the role of business leaders, and building resiliency against third-party incidents.

This report covers pioneering initiatives at six Fortune 1000 companies in a range of industries: defense, healthcare, insurance, manufacturing, and technology. It shares their journeys with the hope that others can use these ideas to accelerate their own efforts. Recognizing the need for systemic changes, this report also explores the roles of technology and security vendors, industry collaborations, and governments.

To download the full report, visit the RSAC ESAF section of the RSA Conference website.

To sign up for emails from RSA Conference that include reports like this, please go to www.rsaconference.com/signup.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.