Third-party risk management programs still largely a checkbox exercise
Enterprise third-party risk management (TPRM) programs have been around for a half-decade or longer, and at this point most large organizations run one. However, many of these TPRM programs only provide a thin veneer of cybersecurity assurance.
Recent data indicates that they are inconsistent (at best) when it comes to digging deep enough for clues of security issues lurking in the enterprise’s vendor and partner ecosystem. Even more troubling? Very few TPRM security assessments result in remediation action.
So TPRM programs are nominally jumping through hoops to ask vendors about or observe their security controls. But few of them are actually doing much to work with their vendors to bolster the security of these third-party IT environments.
This was one of the key findings of a recent report compiled by Cyentia Institute on behalf of RiskRecon. Conducted among 154 TPRM professionals operating in a range of industries, the study showed that a whopping 81% of respondents admit they rarely require remediation from third parties after an assessment.
And that’s not because everything is fine and dandy with these vendors’ security controls. The survey showed that a slim 14% of these professionals are highly confident that their vendors are performing security requirements. That’s not from an utter lack of investment. At this point some 79% of organizations have a formal TPRM program, with a median of at least two full-time employees. Some of these programs are just getting underway, but many have been established for some time and the average age of these programs is now five to six years.
Obviously, these investments in TPRM programs are not being fully realized through effective risk reduction, so what gives? The survey results indicate that this may be classic checkbox compliance scenario. According to respondents, regulatory compliance is the runaway top driver for development of their company’s TPRM program. Some 62% cited compliance as their number one motive for running a program, in contrast to just 22% who named executive mandates and 16% who cited customer requirements.
This likely explains why so many organizations today still rely so heavily on security questionnaires, as that’s the bare minimum required by most compliance regimes. The survey showed that twice as many organizations regularly utilize questionnaires – 84% – as compared to those (42%) who utilize a more verifiable assessment method like cybersecurity ratings. This is in spite of the fact that only about one in three TPRM professionals actually believe questionnaire responses.
Clearly there’s more work to be done. The good news is that the forces at play within the TPRM world are following a maturity playbook that most cybersecurity and risk professionals know well.
Most new security practices and controls are developed initially by pioneers in the market trying to solve a tough problem. Their results and intentions are noted by regulators, who take those ideas and filter out the most basic elements to come up with a framework of minimum requirements for the broader market. Then everyone struggles for some years to meet those standards, at first simply on paper and then in more meaningful ways.
As the minimums become the norm, more forward-facing security leaders use that investment foothold to iterate their practices and rally for more resources to not just check the boxes on auditor’s requirements lists, but also reduce risks in a more consequential manner.
Fortunately, the TPRM field has progressed to the point where many organizations stand at that last crossroads. While most TPRM programs are struggling to conduct reliable, actionable assessments at scale, the majority of organizations at least have some infrastructure in play that they can improve upon. And with 63% of respondents saying that managing third-party risk is a growing priority for their organization, there are signs that there is a will to move beyond checkbox compliance.