It’s simple: you can’t manage what you can’t measure. This is one of the reasons many organizations still miss the mark on third-party risk management. Or at least that is what can be gathered from a recent study, conducted by Forrester® Research and sponsored by RSA®, where 82% of respondents cited that they still use spreadsheets to inventory, assess, and manage third parties.
The world is going digital, with investment in digital transformation estimated to reach $6 trillion over the next four years. As such, the reliance on third parties is also expanding. The Forrester study revealed that 1 in 3 respondents reported working with more third parties than they were just two years ago. As the third-party ecosystem grows, so do the risks. A Ponemon Institute study found that organizations share sensitive information with an average of 583 third parties. Then there is the trickle down of risk that extends to the countless nth parties in the vendor ecosystem who may also have access to data or systems completely out of an organization’s purview.
As the number of data breaches caused by third parties continues to swell, reigning in third-party risk has never been more important. Organizations struggle with this for many reasons, the most likely being that there is a lack of buy-in from the top resulting in less budget to invest in the tools and technology needed to effectively manage third-party risk. This is supported by findings in the Forrester study with less than half of respondents citing that managing third-party risk is considered a critical business imperative in their organization. The increased costs of risk management and evolving regulatory requirements were also mentioned as top hurdles.
Organizations lack visibility into the universal third-party ecosystem, which isn’t surprising if a majority are still stuck in a spreadsheet world. Until the tools, technology and processes used to manage risk improve and there is a top-down understanding of the business risks vendors could pose without proper oversight, organizations will continue to miss the mark.
# # #
Join the #TalkingDigitalRisk conversation on Twitter and social media by following @RSAsecurity
Author: Heidi Bleau
Category: Research and Innovation, Blog Post
Keywords: Third Party Risk, Digital Risk, Digital Risk Management, Vendor Management
Join RSA and guest speaker, Alla Valente of Forrester® Research, for a live panel discussion, Rethinking Third-Party Risk Management. In the webinar, we will probe the myths and realities of third-party risk and how organizations can overcome the challenges. You can also view the full results of the research in the report, Rethink Third-Party Risk Management to Promote Innovation Without Sacrificing Customer Trust, to see how organizations are undertaking third-party risk management and what is hindering progress and maturity.