<img height="1" width="1" style="display:none;" alt="" src="https://dc.ads.linkedin.com/collect/?pid=26304&amp;fmt=gif">
Vendor Risk Management

Fact or Fiction (Part 1): Things You Should Know About Third-Party Risk Management

Alex Campanelli | August 21, 2018

It’s no secret that while it is critical for an organization to have a strong cybersecurity posture, it’s just as important for their third parties to have a strong security posture as well. While this fact is becoming increasingly more acknowledged in the business world (as many companies suffer data breaches at the hands of their suppliers), there are still several misconceptions about third-party risk management (TPRM) programs and what they entail. Among the many initiatives that make up a modern enterprise cybersecurity program, TPRM might be the most misunderstood.

In this three-part blog series, we’ll take a look at some of the notions surrounding third-party risk management and separate fact from fiction. 

1) Third-party risk management is only necessary for companies with hundreds or thousands of third party relationships.


It just takes one of your third parties to cause a breach. Nearly every organization is reliant on a third-party for some type of service. If immediate third parties do not pose cyber risk directly, their third parties (your fourth parties) may. Organizations need to ensure they are tracking the entire flow of their data and monitoring organizations across these flows. Security ratings allow you to deliver timely, data-driven insights into any vendor’s security performance by continuously analyzing, and monitoring companies’ cybersecurity, all from the outside. Security ratings are generated on a daily basis, giving organizations continuous visibility into the security posture of key business partners.


2) Compliance should be the primary goal of any third-party risk management program.


Compliance should be one goal of your third-party risk management program, but not necessarily the primary goal. Many industries and governments regulate third-party risk management, but maintaining compliance doesn’t ensure the safety of your company’s data. It's critical to align third-party risk management strategy or programs with increasing global and regional cybersecurity regulations (i.e. GDPR, NYDFS) and business initiatives. Ongoing and continuous monitoring is a key step towards aligning third-party risk management strategy to cybersecurity regulations.

Security ratings can serve as a critical piece of your TPRM program by helping security and risk teams go above and beyond to quickly identify critical third parties, efficiently scale their TPRM programs, and provide a means to collaborate with those third parties and remediate security issues efficiently.  


3) Third-party risk management should be a Board-level initiative.


TPRM is no longer just a responsibility for IT departments. A successful third-party risk management program has sponsorship from multiple departments, as well as support and involvement from the Board. In fact, Gartner estimates that by 2020, 75% of Fortune Global 500 companies will treat vendor risk management as a Board-level initiative.

Test your knowledge about third-party risk management and see if you can identify which statements are fact or fiction.third party risk management

Read part 2 of the Fact or Fiction series: More Misconceptions About Third-Party Risk Management

Read part 3 of the Fact or Fiction series: How Security Ratings Play a Role in Third-Party Risk Management

Suggested Posts

Fact or Fiction (Part 3): How Security Ratings Play a Role in Third-Party Risk Management

Over the course of this blog series, we’ve addressed some of the major concepts surrounding third-party risk, as well as addressed some misconceptions. In this final post, we’ll continue to examine the last three of the top notions...


Fact or Fiction (Part 2): More Misconceptions About Third-Party Risk Management

There are many third-party risk concepts, some of which we addressed in the first blog post of this series. While third-party risk management (TPRM) programs are becoming increasingly common for businesses, there are still some...


Third Party Tiering: The Cornerstone of a Strong Third-Party Risk Management Program

With the number of third parties connected to businesses increasing, risk and security teams need to ensure they are spending the right amount of attention on the right third parties. To do this, organizations need a clearly defined,...


Subscribe to get security news and updates in your inbox.