CISOs have good reason to rank third-party risk as a top concern: their organizations engage with a growing number of third parties providing an ever-expanding range of services. While reputable providers certainly prioritize security, bringing products developed outside a business inside the company perimeter increases the chance of importing a threat. âThird-party risk is a major threat because it only takes one partner with poor security to put your own company at risk — and as a CISO, you own that risk,â says cybersecurity consultant Gerald Auger, a faculty member at The Citadel military college.
Recent research helps quantify the security threats that CISOs and their organizations face from third parties. For example, a 2023 RSA Conference report found that 87% of the responding CISOs had been affected by a significant cyber incident that originated at a third party in the preceding 12 months. A 2022 study from SecurityScorecard and the research firm Cyentia Institute reported that 98% of organizations had vendor relationships with at least one third party that had experienced a breach in the prior two years.
Third-party risk tops the threat lists of many executives
The âExecutive Perspectives on Top Risksâ survey from consultancy Protiviti found that the topic of third-party risks was the No. 4 risk for 2024 among the more than 1,000 directors and senior executives from the globe polled for the report; those same leaders put third-party risk at No. 6 on their list of anticipated risks for 2034. Clearly, third-party risks arenât expected to be mitigated any time soon. If anything, the interconnected nature of the digital economy, the increasing enterprise reliance on outsourced service providers, the proliferation of cloud-based open-source software repositories, and the growing ingenuity of bad actors are increasing the threat level.
Itâs a lot for CISOs to manage, experts acknowledge. âThe risk always falls back to the CISOs, CIOs, and the executive team. So, you need to do everything you can in your power to protect yourself,â says Matthew Mettenheimer, an associate director in the cybersecurity practice of consultancy S-RM.
To that end, Mettenheimer and seven other security consultants, executives, and researchers shared six best practices for an effective third-party risk management program.
1. Align the executive team around all third-party risks
The risks presented by third parties encompass more than cybersecurity threats and the security threats posed by third parties can impact all parts of the organization — including its ability to operate, says Alla Valente, a Forrester Research senior analyst focused on security and risk.
Yet many organizations — particularly those without a chief risk officer — donât take a comprehensive approach to managing those risks, Valente and other experts say. Rather, they will take a siloed approach; the CISO handles cybersecurity-related third-party risks and other executives take responsibility for those that might impact their respective functions. Such an approach can create blind spots and gaps, Valente says, adding that âone of the main challenges of third-party risks today is there is no single team that owns those.â
Valente and others say CISOs can — and should — take the lead in educating the board and the executive team on the cascading and interrelated nature that third-party risks create for the organization. In other words, CISOs should strive to get enterprise leaders to see how a third-party cyber incident could create a security issue at their own organization and lead to lost business, regulatory fines, and reputational damage.
âThe executive team needs to understand why third-party risk management is important; because thatâs where success in managing risk starts — with the board and in the C-suite,â says Shawn Murray, president of the Information Systems Security Association (ISSA), a not-for-profit international organization of information security professionals and practitioners.
2. Establish a third-party risk management program
Another critical step for the successful management of third-party risks is building a programmatic approach to the task, with a governance structure that establishes processes and standards that can be repeatably applied to numerous third parties. Mettenheimer says an effective third-party risk management (TPRM) program should be unique to each organization to ensure that how that organization assesses third parties and the risks they present aligns with the organizationâs regulatory requirements, data protection requirements, and risk tolerance.
A helpful strategy here is to use a rubric to understand and classify third parties based on the risks they present, says Fred Rica, a partner in the advisory practice at the professional services firm BPM. A rubric could, for example, be used to rank third parties as low, medium, and high. A rubric also allows organizations to efficiently identify the level of assessments and mitigating controls required for each third party, with those labeled high receiving the most scrutiny and most mitigations.
Third-party risk management frameworks and software further help CISOs and their executive colleagues to establish programmatic approaches to TPRM, experts add. However, as helpful as those moves may be, studies show many organizations have yet to take such steps. For example, the 2024 CISO Survey from Panorays, a third-party security risk management software maker, found that 94% of CISOs were concerned with third-party cybersecurity threats but only 3% had implemented a third-party cyber risk management solution at their organizations.
3. Build an accurate, comprehensive, up-to-date inventory of third parties
CISOs canât adequately manage third-party security threats when they do not have a complete picture of the third parties within their organization, says Murray, who is also president and CAO at Murray Security Services. This may seem like an obvious point, but Murray and others say this is a particularly challenging task as an increasing amount of technology is now deployed by business units instead of a centralized IT function committed to inventorying all tech assets. So, CISOs need to implement strategies for identifying and maintaining an accurate, comprehensive, and up-to-date inventory of the third parties whose security risks must be assessed and managed, Murray says.
There are certainly software solutions that help here, but Valente advises CISOs to build in other steps to help ferret out problems at third parties. For example, she says CISOs can work with the finance department to review recurring payments (including those on corporate credit cards) to identify new software subscriptions that were bought without involving the organizationâs procurement department and, thus, havenât yet been added to the inventory list.
4. Create effective, efficient assessment processes
Identifying and inventorying third parties is only the beginning. After that, CISOs must work to understand what security threats they could possibly present — a much more daunting task. âCISOs have to do assessments, but those assessments canât be so lengthy that CISOs canât get them done,â Valente says. Similarly, she says CISOs cannot — nor should they try — to apply the most rigorous assessment to each third party; that would be a Sisyphean task. Instead, she and others advise CISOs to develop methods for identifying those third parties requiring the most rigorous assessments and those requiring a less involved review.
Valente cautions organizations against using the cost of a third party as the yardstick for an assessmentâs rigor, as some third-party services may cost a lot but present low security risks. Rather, an assessmentâs level of rigor should be tied to the sensitivity of data that the third party will handle, its criticality to operations, and the level of technical integration involved in the relationship.
Furthermore, Valente recommends that CISOs create assessments that can easily and quickly flag potential security issues at third parties that would then trigger a deeper dive into their security practices. âFind the questions that are going to give you the red flags,â she tells CSO.
Valente explains that asking third parties how often they test their business continuity plans, for example, or whether they have a dedicated incident response team can help CIOs gauge the maturity of those third partiesâ security programs. This in turn can help CISOs determine whether a third party has the minimum required security in place to warrant moving a contract with it forward — or whether a third party should be quickly disqualified from consideration because it canât even pass the initial screening. Valente notes that CISOs have a lot of room for improvement with their assessment processes. She points to Forrester research, which has found that fewer than 50% of risk decision-makers said their organizations assess all third parties while 10% said they only assess the third parties theyâre explicitly asked to assess.
5. Leverage the third-party contracting process to benefit security
When security assessments happen also matters, according to experts. Those security checks on third parties — whether supplier, vendors, or partners — typically happen during procurement, says Tim Witos, vice president of information security and risk management at McKesson, a healthcare and healthcare tech company. Too often the assessments come at the tail end of the process, when much of the negotiation is done, leaving CISOs with little to no leverage.
âMost organizations at best have language about security requirements that are reviewed at signing,â says Witos, who also serves as a council member with the Health 3PT Initiative, a collaborative of care providers, health systems and other healthcare organizations focused on reducing third-party information security risk with more reliable and consistent assurances.
CISOs would do well to get involved early in the procurement process, Witos and others say. They say CISOs should start by educating leaders within their organizations on what security elements will be required of any third parties. CISOs also should communicate early to potential vendors and partners what security standards theyâll have to have in order to ink any deals with the organization.
âWe [CISOs] sometimes fail to have a conversation about what we expect,â Witos adds. âSo set the expectations of what youâre looking for and why early; understand what youâre looking for a vendor to have when it comes to security. Make your legal team, your sourcing and your procurement team aware of the security requirements you want from your suppliers and explain that those must go into the contracts. Then write up those requirements in a way that the suppliers can understand them.â
Moreover, Witos and others say CISOs should include additional specifics in their third-party contracts to ensure theyâre effectively managing third-party risks. Those specifics include requirements for how quickly the third party must notify the CISO (or a designee) if there is a cyber incident and what information the third party will supply. They should also include a clear articulation of what security aspects the third party will handle and which the organization will own, Mettenheimer says. âKnow what your vendors are on the hook for. We see time and time again that organizations and CISOs will agree to a contract and believe that a certain level of security is in place [only to learn that] that extra level of security isnât included in the vendorâs baseline contract.â
Another specific requirement a CISO should demand is the name and contact information of the third partyâs security leaders so that the CISO can reach them in case of an event (rather than trying to work through account managers who likely wonât be of much help if thereâs a cyberattack).
6. Make third-party risk management an ongoing exercise
Managing the risks presented by third parties doesnât end once those contracts are signed, says Paul Kooney, who as a managing director at consulting firm Protiviti focuses on innovative third-party risk management program development as well as cybersecurity and privacy compliance. He says organizations with the most effective, and most mature, TPRM programs create ones that are continuous in nature so that they can identify and mitigate risks as they arise throughout the organizationâs relationship with each third party.
Rica adds: âThird-party risk management is a process; itâs not an event. Many are very good about that initial assessment. Theyâre very thorough, they get the required documents, but then they forget about it. They donât have any way to go back to see if the risks are the same, whether theyâve changed, or whether they need to change the controls. This is where things often fall apart.â
As such, Kooney, Rica, and others advise CISOs to monitor for compliance with contractual requirements continuously and to identify adjustments and updates that may need to be required, noting that third-party risk management program software and automation can support the security teams doing this work while keeping them from being overwhelmed by the task.