By Brian Golumbeck, Practice Director, Strategy & Risk Management at Optiv
Quick! What is the surest way into an executive’s heart, mind and budget? Leave technical jargon at the door and come to the table talking business.
Traditional information security programs, such as vulnerability, patch and/or threat management, continuously struggle to snag resources despite their absolute vitality to an organization’s security posture, but there is no excuse for third-party risk management (TPRM) to fall into the same cost-cutting trap. Why? Because at its core, it is a business process.
Our world has become more interconnected technologically, yet perhaps more physically spread out, than ever over the last three years. Many organizations rely on a large number of third parties across every department, including IT, IS, HR, legal, accounting, procurement, marketing, etc. While this ecosystem supports overarching goals, it also exposes entities to substantial amounts of risk. In fact, according to the 2022 Verizon Data Breach Incident Report, “the supply chain was responsible for 62% of system intrusion incidents.” That number might be even higher depending on the specific industry report. What else would a leader need to take managing vendor relationships seriously? These partners, however invaluable, in many cases end up having access to sensitive data related to personnel, R&D, sales and more.
A deep level of teamwork and cross-functional support is required to responsibly manage, enable and secure these relationships and their business functions. Attempting to manage more than a thousand vendors or a backlog of hundreds of partner contracts is neither a one nor a two-person job. In addition, there must be an internally owned vendor management strategy even if TPRM is outsourced because it cannot be a one-off project. The importance of this can’t be overstated. For organizations to get the most out of their partnerships, improve business operations, meet regulatory obligations and manage their risk profiles they should consider combining internal stakeholders with external risk management service providers in an always-on process. The best TPRM programs efficiently and effectively assign roles, responsibilities and accountability from triage through escalation and, ultimately, to review.
The modern era of widespread technology adoption and/or largely remote workforces isn’t ending anytime soon. Therefore, organizations will likely be incorporating more vendors into their networks for the foreseeable future. With buy-in from the top and dedicating to it the breadth and depth of focus it deserves, TPRM, like any cybersecurity initiative, is a business enabler and plays a key part in protecting an organization from extreme financial or reputational damage.