A 2023 RSA Conference survey of Fortune 1000 CISO’s found that 87% of the companies were affected by a significant cyber incident at a third party in the previous 12 months. Call it third party risk, vendor risk or supply chain risk, it is the major blind spot of cybersecurity defense.
The solutions for third party risk management (TPRM) badly need a rethink. Vendors mainly offer one or the other or a mix of:
- Questionnaires for the third-party to answer – quickly out of date even if accurately filled out
- Outside-in scans of controls that are more noise than signal
These solutions can’t identify the riskiest vendors and don’t give quantitative insights into how to prioritize mitigations to achieve a return on investment. They are also manual processes that can’t be automated or scaled to respond to changing threats.
With an unreliable toolkit, CISOs fall back on compliance to frameworks, lists of recommended controls disconnected from measurable risk reduction. Or they prioritize among vendors based on size of contract, not size of loss exposure.