Forrester found that when it comes to tracking third-party risk, critical data loss or exposure (63 percent) and the threat of cyber attacks (62 percent) ranked as the top concerns, above standard business issues, including whether the supplier could deliver the quality and timely service as contracted (55 percent).
Despite the desire for more robust insight into third-party security practices, only 37 percent of survey respondents reported tracking any of these metrics on a monthly basis.
The research further reveals that a vast majority of IT decision makers believe that continuous third-party monitoring would have a major improvement on their security effectiveness in key areas, such as event identification time (76 percent), event remediation time (72 percent) and response times to high-profile events (71 percent).
Enterprises overwhelmingly anticipate major or moderate improvement to many metrics around third-party evaluation, such as the ability to compare security postures, screen vendors based on risk, and evaluate infrastructure configurations. Additionally, enterprises anticipate reductions in times required for security event identification and remediation times and responses to high-profile events.
Other key findings:
- Forrester estimates that enterprises allocated 21 percent of their overall IT budget to third parties.
- 63 percent of respondents believe continuous third-party monitoring would improve their ability to screen vendors based on risk.
- 79 percent of respondents reported that ensuring business partners and third parties comply with their security requirements is a top IT security priority over the next 12 months.
- 82 percent of respondents said that ensuring regulatory compliance is a “critical” or “high” priority, but only 29 percent were fully compliant, on average, across eighteen regulations or best practice guidelines.