InfoSec-Specific Executive Development for
CISOs and Aspiring Security Leaders.
Live Faculty-led instruction and interactive
labs to build you and your team's InfoSec skills
In the past three years, organizations have seen a greater number of high-profile security breaches through third-party vendors as these firms shift business functions to external parties to reduce costs. A lack of third-party monitoring and consistent
reporting have left organizations especially vulnerable to risk. And many third-party risk management programs continue to focus just on compliance.
Recently, the SEC proposed new rules that would require U.S. public companies to report cybersecurity incidents along with risk management plans and governance. This reflects a heightened focus on cybersecurity risk and the wider implications of risk
across global markets, making third-party risk management more important than ever.
This piece explains why security teams and their organizations must be aware and understand the importance of third-party risk management. Learn the steps to take to build an effective third-party risk management process.
At a high level, risk management is defined as the process of identifying, assessing and monitoring threats to an organization. Most organizations have numerous third parties. Many are vendors, but others fall into different categories, such as partners,
contractors and suppliers. Third-party risk management is the process of ensuring a third-party does not introduce risk into the organization. Many third parties are complex technology partners, and if they lack security controls, cyber vulnerabilities
and incidents are bound to occur—and impact you.
Third-party risk terms are sometimes used interchangeably, but they have very different meanings and it's important to understand the distinctions.
READ: Risk Management Terminology for InfoSec Teams
Third-party risk can affect the organization across multiple business segments, including financial, operations and compliance. It’s critical to know your vendors and have a plan in place that clearly identifies how your organization analyzes and
An effective third-party risk management plan is a component of an organization’s overall risk management plan. The plan details various risk area across the organization to create the overall enterprise risk profile and helps to identify which
strategies can reduce third-party risk to help minimize exposure in areas like information security.
READ: How to Create an Enterprise Risk Appetite Statement
To reduce the chances of a third-party security breach, begin by teaming with all related third parties to assess their security risk profile and build a third-party risk management plan. It’s important to rank your third-party portfolio based on
the risk they pose, along with assessing the security framework they have in place now to mitigate your risk.
This process is key because you will not have direct visibility or control of a third-party vendor’s risk measures to safeguard its own and your security program. The goal is to identify, classify and categorize the risk associated with every vendor
and supplier relationship.
Effective enterprise third-party risk management plans must be structured, collaborative and incorporate the following steps, each of which has several components:
Our third-party networks and relationships continue to expand and it’s critical to build a consistent third-party risk management program that is scalable over time. Third-party risk management is vital to managing information security risks, and
it includes establishing a comprehensive third-party risk management program throughout the organization.
As security teams work to minimize threats and mitigate risks before they have an adverse impact, it’s important that risk management becomes an integral, continuous process across an organization.
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in
connection with such information, opinions, or advice.
September 29, 2022
By IANS Faculty
Understand the integration points between information security and enterprise architecture. Find guidance for functional organizational constructs to maintain a solid EA practice.
September 27, 2022
By IANS Research
Learn how to ensure full cyber insurance policy coverage and find 5 tips to help maximize your potential cyber insurance claims.
September 22, 2022
Find information on cyber insurance coverage types along with best practices to choose a cyber insurance carrier and policy for optimal security coverage.