Key Points:
- 45% of organizations have experienced business interruptions due to third-party factors within the past two years.
- Successful third-party cybersecurity risk management relies on resource efficiency, risk management and resilience, and influence over business decision-making.
A recent survey by Gartner has found that despite extensive investment in third-party cybersecurity risk management (TPCRM), 45% of organizations have experienced business interruptions due to third-party factors within the past two years. This highlights an ongoing struggle for cybersecurity teams. Zachary Smith, Sr Principal Research at Gartner, commented that third-party cybersecurity risk management is often excessively process-oriented, resource-intense, and results are few and far between. Cybersecurity teams struggle to build resilience against third-party related disruptions and to influence third-party related business decisions.
The survey involved 376 senior executives who play a role in third-party cybersecurity risk management in their organizations. According to Gartner, successful TPCRM relies on an organization’s capability to deliver three key outcomes: resource efficiency, risk management and resilience, and influence over business decision-making. However, most companies struggle to effectively deliver two of the three outcomes, with only 6% of surveyed organizations being proficient in all three areas.
Gartner identified four actions that security and risk management leaders could implement to increase their effectiveness when managing third-party cybersecurity risk:
- Regularly review the effectiveness of communicating third-party risks to the relevant business owner of the third-party relationship.
- Track third-party contract decisions to aid in managing risk acceptance by business owners.
- Conduct third-party incident response planning, including playbooks and tabletop exercises.
- Collaborate with essential third parties to enhance their security risk management practices as needed.
Implementing any of these actions reportedly led to a notable 40-50% increase in TPCRM effectiveness.
In an interconnected business environment, the risk associated with a critical third party has a direct impact on the organization. Therefore, partnerships that foster transparency and collaboration in improving security risk management practices are beneficial.