The consensus in the ESAF community of CISOs is that traditional third-party risk management in information security is ineffective. Traditional methods, centered around self-assessment questionnaires and cybersecurity ratings, do not provide an accurate picture of third-party risk nor reduce risk.
The need for change is growing more urgent as attackers increasingly target third parties. In a recent survey, RSA Conference found that 87% of Fortune 1000 companies were affected by a significant cyber incident at a third party in the past 12 months.
Third-party incidents can have a huge impact on the bottom line. If a supplier or business partner is hit with a cyber attack, it can disrupt the company’s operations and/or expose the company’s customer data or intellectual property. Attackers can also use third-party access as a route to infiltrate the company’s network.
Although third-party risk management needs an overhaul, fixing it can seem like an intractable problem. Traditional approaches have become entrenched as standard practice, so companies are under pressure to continue using them even though they are ineffective.
Motivated by escalating risks, CISOs within the ESAF community are taking bold new approaches. These include establishing top priority security requirements, setting deadlines to implement controls, adding enforcements to contracts, helping third parties obtain security technologies and services, increasing the role of business leaders, and building resiliency against third-party incidents.
This report covers pioneering initiatives at six Fortune 1000 companies in a range of industries: defense, healthcare, insurance, manufacturing, and technology. It shares their journeys with the hope that others can use these ideas to accelerate their own efforts. Recognizing the need for systemic changes, this report also explores the roles of technology and security vendors, industry collaborations, and governments.
Views: 16
