Information security teams are busier than they’ve ever been and, although they have been given more funds to cope, there is still a great need to prioritize and focus on the risks that are most likely to harm their business. To that end, managing the risk posed by smaller third-party vendors – not the multimillion-dollar-contract kind that require scrutiny from half a dozen corporate functions (Risk, Procurement, Compliance, Finance, HR, in-depth review from Legal, and so on) – has always been low on the list for information security teams.
But because managers across all parts of a large business now use third parties far more then they once did, and often intermittently, the risk they pose has grown hugely. Traditionally, information security teams have administered risk assessments and made decisions about the risk each third party posed based on predetermined levels, but this is no longer sufficient for the four reasons below.
On top of that, and more broadly, an overreliance on this kind of risk assessment doesn’t help information security teams move past simple due diligence towards properly understanding and managing risks (as is required for proper enterprise risk management), as even the most effective assessments can only capture point-in-time data, and not a more holistic picture of third parties’ information security arrangements.
Four Reasons to Take Third-Party Risk Management Seriously
As the use of third-party vendors expands and evolves, Security’s methods for managing risk should too. Information security teams should ensure third parties adhere to the company’s security needs (whether that requires a full risk assessment and active monitoring or something with a much lighter touch), without getting in the way of business goals.
There are four reasons why current efforts at third-party risk management are failing at many companies – and failing expensively at that.
Security’s visibility into third parties is declining sharply: With the proliferation of business-led IT, more and more business units are hiring third parties without first consulting assurance functions, such as Information Security and Procurement. Third-party products and services are more numerous, accessible, and attractive than ever to managers whose incentives make them want to hit objectives as quickly as possible.
As line managers play an ever greater role in technology, the way information security teams engage with the line on third-party risk management, once based on the line providing full visibility, and with the understanding that Information Security wouldn’t delay things, is beginning to break down.
Use of third parties is exploding: Information Security’s resources are already stretched thin, and much of business is becoming more and more reliant on outside vendors. Over half of security leaders now work with at least double the number of third-parties that present information security concerns than they did two years ago.
Given the increasing volume of work, Information Security must be careful with its spending. Security has traditionally overinvested in the upfront assessment stage of third-party risk management, but should rethink its strategy and reallocate its resources to managing the risk.
“Long tail” third parties are increasing in popularity: Long tail third parties offer niche services that require little to no IT or Procurement involvement and whose use is driven by fluctuating business demand and tight deadlines. Examples include free cloud services, internet of things services, and “as-a-service” products that require little setup out of the box.
This increasingly long and complex tail of third parties complicates the way Information Security manages third-party risk because they slip through traditional triaging mechanisms and the risks they pose to the company are hard to identify, let alone generalize.
Chart 1: The long tail problem Source: CEB anlaysis
Regulatory scrutiny is expanding: Regulators have increased their scrutiny of third-party risks in recent years. Governing bodies including the FFIEC, OCC, the UK Financial Conduct Authority, the Monetary Authority of Singapore, and the EU have all issued official guidance on third-party risk management, prompting information security teams to spend more time on regulatory compliance.
While an increase in regulatory guidance is often a welcome development, it has encouraged a “check-the-box” mindset where Security does the bare minimum as prescribed by applicable regulations without truly considering the consequences for good risk management goals beyond complying with legal requirements.