Based on in-depth interviews with security executives from 30 participating organizations across multiple industries, RiskRecon revealed how companies are managing the security risks of their complex digital supply chains and sensitive business partnerships.
Researchers identified vendor-neutral capability sets comprising common, emerging, and pioneering practices that firms have implemented to manage third-party security risk.
“Enterprise risk officers are waking up to the reality that their information risk increasingly resides in the systems of their third-parties, beyond the bounds of their own network. You can outsource your systems and operations to third-parties, but you cannot outsource your risk,” said RiskRecon CEO Kelly White.
The financial services industry is the clear leader
Financial services firms have been actively managing third-party security risk for an average of six and a half years, nearly four years longer than firms in other industries. Financial services firms also are the drivers behind more than 60 percent of the pioneering practices observed in the study.
Third-party security risk management is rapidly innovating
Thirty-two percent of the third-party risk management practices the study identified are implemented by fewer than 25 percent of the study participants. In all cases, these pioneering practices were recently implemented by the adopting firms. The practices leverage objective security data to better understand third-party risk performance and more intelligently allocate and engage risk analysts in assessments.
Pioneering firms are hunting for dangerous conditions in their third-party systems
Twenty-three percent of respondent companies are proactively identifying severe vulnerabilities in their vendors’ systems and working collaboratively with their vendors to quickly address the issues.
Fourth-party awareness is peaking over the horizon
While only seven percent of respondent firms are actively tracking fourth-parties (the third-parties used by their vendors), an additional 33 percent stated that they intend to implement capabilities to better manage fourth-party risk within two years, citing regulatory requirements as the primary driver.
Brian Johnson, a CISO consultant, said, “CISOs know that effective third-party security risk management is essential for protecting their enterprise, yet many lack the data necessary to appropriately understand and prioritize third-party risk exposure. The best thinking on solving risk lies within industry, where practitioners are solving real enterprise risk problems every day.”