RiskRecon, a Mastercard Company, and the Cyentia Institute today published an in-depth study that explores the current state of third-party risk management (TPRM) programs and practices. The research found that TPRM professionals increasingly do not trust that security questionnaires provide sufficient information to properly understand and act on their third-party risk. As a result, the study found more enterprises are moving towards data-driven TPRM programs.
The “State of Third-Party Risk Management” research is based on a survey of 154 active TPRM professionals conducted by RiskRecon and the Cyentia Institute. It found that 79% of firms have a TPRM program, 84% of which use questionnaires to assess vendor security risk. While 81% of enterprises report that at least 75% of their vendors claim perfect compliance to their security requirements, only 14% are highly confident that vendors actually perform those requirements.
“In the mass outsourcing of systems and services to third parties, enterprises have dramatically increased the scale and complexity of their risk surface. This study reveals that risk professionals widely are of the opinion that questionnaire-based assessments are sufficient for managing third-party risk. The magnitude of risk in the hands of third parties necessitates much better performance visibility than questionnaires can provide,” said Kelly White, CEO and co-founder, RiskRecon. “Increasingly, third-party risk teams are adapting the risk management strategies deployed to protect their internal enterprise – rapid acquisition and analytics of objective data that reveal the reality of the quality of each vendor’s risk management program. For example, rather than just trusting vendors’ word that they are properly patching systems, they are using security ratings services and other information sources to objectively assess the quality of their patch management program.”
The intent of the study was to understand the challenges currently facing TPRM programs and gather intel into how companies are meeting these challenges. And while the adoption of TPRM appears to be on the rise, there are additional lessons to be learned. For example:
- Companies are critically dependent on third parties, trusting them with their most sensitive data and operations functions. The survey found that one out of three TPRM programs manage more than 100 vendors per year. On average, respondents said that 31% of their vendors could cause a critical impact to their organization if breached, while 25% claim that half of their entire network could trigger severe impacts.
- Lack of proper resources and support continues to be a challenge for effective risk management. 57% of respondents say that staffing levels regularly limit their ability to keep up with the responsibilities of managing risk across their third-party portfolio, as TPRM programs typically manage 50 vendors per full-time employee. And more than 25% of programs report severe personnel shortages, which prevents critical tasks from being completed.
- Professionals do not trust questionnaire-based assessments; adding objective data to close the gap. Only 14% of surveyed professionals report being highly confident in the accuracy of vendor questionnaire responses. For this reason, 42% of respondents use cybersecurity ratings, along with other measures as part of their assessment mix.
“Our study clearly shows that the necessity to manage third-party risk well is not lost on security leaders. While this may be the case, there are stark differences in the methodologies of assessing third-party risk,” said Wade Baker, partner and co-founder, Cyentia Institute. “While security questionnaires remain a common program pillar, companies are seeking to achieve better risk outcomes more efficiently by leveraging objective assessment data from services such as security rating solutions. This is where the future patterns and practices of third-party risk management will be defined.”
To download the full report, “The State of Third-Party Risk Management,” click here.
About Cyentia Institute
Cyentia Institute is a Virginia-based cybersecurity research services firm. We deliver high-integrity, high-quality, data-driven research that provides security companies with meaningful marketing content to build mindshare, drive sales, and attain greater visibility in competitive markets. In doing so, we seek to advance cybersecurity knowledge and practice for the community at large. In addition, we curate and publish a library of cybersecurity research and reporting which serves as a vital reference for security decision makers and practitioners worldwide.
RiskRecon, a Mastercard company, is the only continuous vendor monitoring solution that delivers risk-prioritized action plans custom-tuned to match your risk priorities. RiskRecon provides the world’s easiest path to understanding and acting on own enterprise and third-party cyber risk, enabling organizations to efficiently operate scalable, third-party risk management programs for dramatically better risk outcomes. Learn more about RiskRecon, request a demo or visit the website at www.riskrecon.com.