Network Security, Vulnerability Management

Organizations need formal vendor risk management programs, study


A recent study conducted by the Ponemon Institute and Shared Assessments found that 70 percent of respondents felt that third-party risks in their organization are significantly increasing and many of them blamed disruptive technologies like cloud services and the Internet of Things (IoT). 

The Tone at the Top and Third Party Risk report queried 617 individuals who have a role in the risk management process in their organizations and are familiar with the governance practices related to third-party risks.

New technologies and cyber threats are expected to play a role in evaluating third-party risk profiles.

Cyber attacks and the IoT are expected to have the most significant impact on an organization's third-party risk profile as 78 percent of the respondents said cyber attacks will have a significant impact on the risk profile and 76 percent of respondents said the IoT will have a significant impact, the study said.

The study also found that a changing threat landscape has already cost organizations millions of dollars as a result of third-party mishaps.

“In the past 12 months, organizations represented in this research spent an average of $10 million to resolve the consequences of negligent or malicious third parties,” researchers said in the report.

Adding to the challenge, accountability for managing third-party risk is often dispersed throughout an organization rather than centralized with a single person or department -- with 23 percent of respondents saying responsibility lies with the compliance department and 17 percent saying the information security department is responsible.

Only nine percent of respondents said a risk management department has ownership of the risk, researchers said.

“It has become imperative for organizations to create formal programs for vendor risk management in order to avoid being compromised,” Charlie Miller, a senior vice president at the Santa Fe Group, the parent company of Shared Assessments, told via emailed comments.

“This study clearly demonstrates that not only is there a major risk issue stemming from vendor and partner relationships, but the highest level of organizations, the Board and C-Suite, need to better communicate their values across the enterprise, setting a positive tone and creating formal programs to mitigate this risk, ultimately helping companies to improve their risk management practices,” Miller said.    

In order to create a stronger third-party risk management program, researchers said in the report that CEOs and boards should establish a “positive tone at the top” meaning the management should be committed to a providing a culture and environment that encourages honesty, integrity and ethics.

That could help organizations minimize these third-party risks since employees would be more likely to uphold the same values, researchers said.

Lieberman Software Vice President Jonathan Sander told via emailed comments that a positive tone is a good place to start, but “without a formal, measured program to back it up, that trust is meaningless.” 

“This tone, which serves as code for a ‘trustworthy attitude,' is starkly contrasted by the 78 percent that think cyber attacks are the biggest source of risk in these relationships, the fact that the second largest group of respondents felt IT security owns that risk, and the fact that only 21 percent felt their approach to third-party risk was highly effective,” Sander said.

“In other words, they are forming these third party relationships based on trust and never verifying that trust with real data,” he explained. 

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.