Third-party security risk in a "black swan" environment

A blog post by Suzanne Denton, Deloitte & Touche LLP managing director

A risk management conundrum

Pandemic disease outbreak, global recession, man-made or natural disaster, regulatory change—the prevalence of "black swans" fill the headlines and expose organizations to third-party security risks; Deloitte research reveals that:

• Nearly nine of 10 respondents (87 percent) faced a disruptive incident with third parties in the past three years.
• Almost a third of them (28 percent) had a major disruption to all business functions as a result.
• One in four respondents’ companies (26 percent) suffered reputational damage as a result of third-party actions.¹

With third-party-related incidents so prevalent, there is little room for error. Organizations should consider getting TPRM right. Why then do so many have only basic block-and-tackle methods in place to address third-party risk?

¹ Deloitte, "Third party governance and risk management: Extended enterprise risk management survey 2019", https://www2.deloitte.com/global/en/pages/risk/articles/third-party-risk.html.

Answering third-party security risks

Adopting a more broad-based, resilient approach to TPRM could help organizations become more prescriptive, preventive, and preemptive regarding third-party security risks. Such an approach has three key attributes that chief information security officers (CISOs) and other key stakeholders should consider:

• Agile. A robust TPRM framework with established policies and procedures, as well as a centralized capability for managing third-party information, can help organizations become more responsive and agile when it comes to third-party cybersecurity. These capabilities can also help build resilience against the broader threat environment, including black swan events.
• Bold. CISOs have the opportunity to be champions who help their organization recognize and act on third-party risks, break down silos that cause organizational blind spots, and strengthen information security. This means helping stakeholders understand how increased dependency on third parties creates risk and yet how important it is to think beyond cyber and help make third-party relationship management balanced and transparent.
• Real-time. More relevant and timely information—from both internal and external sources—can better inform decisions about third-party relationships. This means shifting from point-in-time third-party risk assessments to ongoing monitoring. A data-driven TPRM approach that incorporates external monitoring services can help prevent surprises and provide richer insights into third-party relationships.
  

Back to top

Consider the benefits of a managed services model

With all the other pressures they face and additional resources typically being scarce, how can CISOs help provide TPRM capabilities with the aforementioned attributes in a timely way? A managed services model offers a viable path.

A managed services model can help organizations quickly ramp up TPRM by centralizing planning, oversight, and execution into a single group. This approach can:

• Provide stakeholders with a single point of transparency and visibility into third-party security risks so they can effectively manage risk profiles across the enterprise
• Roll up risk data into a single report to quantify where the highest risks are, the nature of the risks, and what is required to address them
• Facilitate accelerated outcomes, such as third-party risk assessments, with access to true risk domain knowledge, technology, and talent

A managed services model can also:

• Create greater consistency in third-party risk management processes across business units and geographic locations
• Help establish a framework that can be readily scaled to efficiently onboard more third parties into the organization’s risk management program
• Provide relevant insights into third-party performance to help the organization create economies of scale
• Bolster TPRM capabilities with much-needed skills, tools, techniques, and processes to take on the toughest part of TPRM—reducing operational, regulatory, reputational, strategic, and technological risks
• Optimize staffing so that internal teams can focus on other mission-critical initiatives

As a result, organizations can expect:

• The ability to quantify and reduce risk exposure through improved risk mitigation strategies
• Improved visibility into the portfolio of third-party relationships for informed decision-making
• Productivity gains through more coordinated TPRM activities while improving risk posture through analytics and benchmarking against industry standards
• The ability to scale resources up and down as the business evolves while having predictable and reliable budgets and costs

The upshot? A managed services model for TPRM can help CISOs provide results that resonate with senior leadership and the board while reducing third-party security risks across the various domains affecting an organization.

Back to top