According to a recent survey by Gartner, 45% of organisations have experienced business interruptions due to third party factors within the past two years. The findings highlight an ongoing struggle for cybersecurity teams, despite extensive investment in third-party cybersecurity risk management (TPCRM).
Zachary Smith, Sr Principal Research at Gartner, pointed out how third-party cybersecurity risk management is often excessively process-oriented, resource-intense, and results are few and far between. "Cybersecurity teams struggle to build resilience against third party-related disruptions and to influence third party-related business decisions," Smith remarked.
The survey, conducted in July and August of 2023, involved 376 senior executives who play an integral role in third-party cybersecurity risk management in their organisations. These organisations hail from a variety of geographies and industries, and range vastly in size.
According to Gartner, successful TPCRM relies on an organisation's capability to deliver three key outcomes: resource efficiency, risk management and resilience, and influence over business decision-making. Despite this, most companies struggle to effectively deliver two of the three outcomes. A mere 6% of surveyed organisations were proficient in all three areas.
The survey's findings led Gartner to identify four actions that security and risk management leaders could implement to increase their effectiveness when managing third-party cybersecurity risk. Organisations that implemented any of these actions reportedly observed a notable 40-50% increase in TPCRM effectiveness.
The first recommendation involves regularly reviewing the effectiveness of communicating third-party risks to the relevant business owner of the third-party relationship. Chief Information Security Officers (CISOs) need to ensure their messaging about third-party risks is clearly understood and provides actionable insights.
Tracking third-party contract decisions is another strategy the survey suggests to aid in managing risk acceptance by business owners. By monitoring these decisions, security teams can strategise fitting controls for risk allowances and identify potentially risk-prone business owners requiring greater cybersecurity oversight.
Furthermore, Gartner advises conducting third-party incident response planning, including playbooks and tabletop exercises. Effective TPCRM, the survey suggests, should extend beyond merely identifying and reporting cybersecurity risks. Instead, CISOs should ensure a robust contingency plan is ready in case of unexpected incidents, thereby ensuring swift recovery.
Finally, Gartner recommends collaborating with essential third parties to enhance their security risk management practices as needed. In an increasingly interconnected business environment, the risk associated with a critical third party has a direct impact on the organisation. Partnerships that foster transparency and collaboration in improving their security risk management practices are therefore beneficial.