An old proverb that is often repeated by corporate security experts everywhere is 'trust, but verify.'
Today, as companies continue a dramatic shift away from
Softtek's latest report 'The State of Digital Third-Party Risk 2016: In Partners We Trust,' highlights the dilemma many companies face: They have very little choice but to employ a growing ecosystem of third-party providers, and they must trust them with their vital information. Yet those same organizations have not deployed any sort of risk management to verify that those partners have adequate safeguards in place.
The lean model – which uses fewer in-house resources and more third-party resources – has outsized benefits in terms of productivity, cost, and agility, particularly as cloud innovations allow vast, global ecosystems to operate and collaborate at lightning speed. But companies taking advantage of this model often lack the one element that is most needed to get the greatest benefit from it, and that is risk management.
According to the Softtek report, 54% of organizations do not allocate funds for a third party risk management system, and 21% of firms have no one leading a third party risk management system. The oversight problem doesn’t rest solely with the organization doing the contracting, however, 73% of suppliers do not notify their clients of a breach. Third parties are the primary cause of breaches, and these breaches can trigger a domino effect that can impact all of the organization’s shared systems.
Despite the abysmal statistics, it would be a critical mistake to revert back to an 'absolute control' model, which carries disadvantages of its own. Rather, the solution is to achieve a better understanding of how partner systems, practices, and procedures work, and how we can influence them. The lean model requires building an ecosystem of third party suppliers, but to be effective, we must acknowledge that such an ecosystem is more than just a collection of providers – it is really a de facto extension of our own corporate organization, and as such, the services being provided by those third parties need just as much scrutiny as they would if they were to be provided in-house.
To provide that scrutiny, companies need to implement solutions to sustain this interconnected system of third party suppliers. In addition to maintaining an up-to-date inventory of suppliers, properly evaluating each supplier is an important component of vendor management, as well as creating and reporting metrics for each phase of the relationship. In addition, vendor management requires identifying