May 01 2025

How CISO’s are transforming the Third-Party Risk Management

​The RSA Conference Executive Security Action Forum (ESAF) report, How Top CISOs Are Transforming Third-Party Risk Management, presents insights from Fortune 1000 Chief Information Security Officers (CISOs) on evolving strategies to manage third-party cyber risks. The report underscores the inadequacy of traditional risk management approaches and highlights innovative practices adopted by leading organizations.​

1. Escalating Third-Party Risks

The report begins by emphasizing the increasing threat posed by third-party relationships. A survey revealed that 87% of Fortune 1000 companies experienced significant cyber incidents originating from third parties within a year. This statistic underscores the urgency for organizations to reassess their third-party risk management strategies.​

2. Limitations of Traditional Approaches

Traditional methods, such as self-assessment questionnaires and cybersecurity ratings, are criticized for their ineffectiveness. These approaches often lack context, fail to reduce actual risk, and do not foster resilience against cyber threats. The report advocates for a shift towards more proactive and context-aware strategies.​

3. Innovative Strategies by Leading CISOs

In response to these challenges, top CISOs are implementing bold new approaches. These include establishing prioritized security requirements, setting clear deadlines for control implementations, incorporating enforcement clauses in contracts, and assisting third parties in acquiring necessary security technologies and services. Such measures aim to enhance the overall security posture of both the organization and its partners.​

4. Emphasizing Business Leadership and Resilience

The report highlights the importance of involving business leaders in managing cyber risks. By integrating cybersecurity considerations into business decisions and fostering a culture of resilience, organizations can better prepare for and respond to third-party incidents. This holistic approach ensures that cybersecurity is not siloed but is a shared responsibility across the enterprise.​

5. Case Studies Demonstrating Effective Practices

Six cross-sector case studies are presented, showcasing how organizations in industries like defense, healthcare, insurance, manufacturing, and technology are successfully transforming their third-party risk management. These real-world examples provide valuable insights into the practical application of the recommended strategies and their positive outcomes.​

6. The Role of Technology and Security Vendors

The report calls upon technology and security vendors to play a pivotal role in minimizing complexities and reducing costs associated with third-party risk management. By collaborating with organizations, vendors can develop solutions that are more aligned with the evolving cybersecurity landscape and the specific needs of businesses.​

7. Industry Collaboration for Systemic Change

Recognizing that third-party risk is a widespread issue, the report advocates for industry-wide collaboration. Establishing common standards, sharing best practices, and engaging in joint initiatives can lead to systemic changes that enhance the security of the broader ecosystem. Such collective efforts are essential for addressing the complexities of modern cyber threats.​

8. Moving Forward with Proactive Measures

The ESAF report concludes by encouraging organizations to adopt proactive measures in managing third-party risks. By moving beyond traditional methods and embracing innovative, collaborative, and resilient strategies, businesses can better safeguard themselves against the evolving threat landscape. The insights provided serve as a roadmap for organizations aiming to strengthen their cybersecurity frameworks in partnership with their third parties.​

Sources and full article here

Cybersecurity and Third-Party Risk: Third Party Threat Hunting

Navigating Supply Chain Cyber Risk 

DISC InfoSec offer free initial high level assessment – Based on your needs DISC InfoSec offer ongoing compliance management or vCISO retainer.

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot | Comprehensive vCISO Services | ISMS Services | Security Risk Assessment Services

Tags: Third-party risk management


Sep 21 2022

Vendor Security Assessment

Category: Information Security,Vendor AssessmentDISC @ 10:14 pm

Assessing the security of network equipment.

decorative image

This document provides guidance on how operators should assess the security of vendor’s security processes and vendor equipment and is referenced in the Telecom Security Act Code of Practice.

The purpose of the guidance is to allow operators to objectively assess the cyber risk due to use of the vendor’s equipment. This is performed by gathering objective, repeatable evidence on the security of the vendor’s processes and network equipment.

https://www.ncsc.gov.uk/report/vendor-security-assessment

Tags: Third-party risk management, vendor assessment


Aug 28 2022

Why You Need a Third-Party Risk Management (TPRM) Program

Category: Vendor AssessmentDISC @ 9:56 am

What entity, or sector doesn’t engage with a third party in some way, shape or form? Not many. The reality is that outsourcing, contracting and subcontracting happen all the time and is the norm as businesses continue to embrace the core/context mindset and division of labor. The more you outsource, the more you need to have a robust third-party risk management process (TPRM), also known as vendor risk management, plan in place.

Risk management is not new, but the current iteration of TPRM logic typically focuses on three parts:

  • Risk assessment and analysis
  • Risk evaluation and
  • Risk treatment.

I had the pleasure of chatting with David Medrano, director of third-party risk management at Morgan Franklin, who shared his insight on the importance of TPRM and vendor oversight. Medrano explained that many enterprise entities may have over 1,000 separate third-party engagements and, therefore, must have a methodology to measure the risk each of those presents.

Medrano said that while many entities know their contractors, they may lack visibility into the contractor’s contractor; thus, a daisy chain of outsourced work may be taking place which places data at an unknown level of risk as the third party shares it with a fourth party and so on. The most important thing an organization can do, in this case, is to categorize vendors in the planning/strategy phase. Suggested risk buckets may include critical vendors, physical vendors and technology vendors.

“Bucket them according to how and what they do and how their third-party actions present a risk to you,” Medrano said. The risk from the coffee vendor, for instance, is not the same as the risk provided by an MSSP. He advised caution with regard to allowing more risk to be accepted than the vendor’s worth or value to the enterprise.

Medrano also advised keeping the methodology used uniform, as that can help manage risk while also showing customers, regulators and compliance entities that the company has a methodology in place to measure and address risk and explains the company’s thought processes with regard to its actions.

TPRM Tools

Ironically, there are a plethora of vendors (yes, third parties) who are prepared to provide you with tools to create your TPRM program, there are also standardized methodologies available from the U.S. government. For example, the National Institute of Standards and Technology (NIST) has created a TPRM framework to help companies create a consistent and uniform TPRM plan which is adaptable to their unique needs. The NIST framework can help you:

  • Prepare – Essential activities to prepare the organization to manage security and privacy risks
  • Categorize – Categorize the system and information processed, stored and transmitted based on an impact analysis
  • Select – Select the set of NIST SP 800-53 controls to protect the system based on risk assessment(s)
  • Implement – Implement the controls and document how controls are deployed
  • Assess – Determine if the controls are in place, operating as intended and producing the desired results
  • Authorize – Senior official makes a risk-based decision to authorize the system (to operate)
  • Monitor – Continuously monitor control implementation and risks to the system

In sum, every business unit should be using a TPRM system, regardless of if their engagement with third-party vendors is centralized or decentralized. Additionally, uniformity in the assessment is of paramount importance, Medrano said.

Third-Party Risk Management: Driving Enterprise Value

Cybersecurity and Third-Party Risk: Third Party Threat Hunting

IT Vendor RISK Management Toolkit

Tags: Third Party Risk, Third Party Threat Hunting, Third-party risk management, TPRM, Vendor Security Assessment


Jul 14 2022

Vendor Security Assessment

Category: Information Security,Vendor AssessmentDISC @ 8:43 am

Assessing the security of network equipment.

decorative image

This document provides guidance on how operators should assess the security of vendor’s security processes and vendor equipment and is referenced in the Telecom Security Act Code of Practice.

The purpose of the guidance is to allow operators to objectively assess the cyber risk due to use of the vendor’s equipment. This is performed by gathering objective, repeatable evidence on the security of the vendor’s processes and network equipment.

https://www.ncsc.gov.uk/report/vendor-security-assessment

Cybersecurity and Third-Party Risk: Third Party Threat Hunting

DISC InfoSec

#InfoSecTools and #InfoSectraining

#InfoSecLatestTitles

#InfoSecServices

Ask DISC an InfoSec & compliance related question

Tags: supply chain, Third-party risk management, third-party vendor program, Vendor Security Assessment


Feb 25 2021

Third-party risk management programs still largely a checkbox exercise

Category: Vendor AssessmentDISC @ 9:19 am

Recent data indicates that they are inconsistent (at best) when it comes to digging deep enough for clues of security issues lurking in the enterprise’s vendor and partner ecosystem. Even more troubling? Very few TPRM security assessments result in remediation action.

So TPRM programs are nominally jumping through hoops to ask vendors about or observe their security controls. But few of them are actually doing much to work with their vendors to bolster the security of these third-party IT environments.

This was one of the key findings of a recent report compiled by Cyentia Institute on behalf of RiskRecon. Conducted among 154 TPRM professionals operating in a range of industries, the study showed that a whopping 81% of respondents admit they rarely require remediation from third parties after an assessment.

And that’s not because everything is fine and dandy with these vendors’ security controls. The survey showed that a slim 14% of these professionals are highly confident that their vendors are performing security requirements. That’s not from an utter lack of investment. At this point some 79% of organizations have a formal TPRM program, with a median of at least two full-time employees. Some of these programs are just getting underway, but many have been established for some time and the average age of these programs is now five to six years.

Obviously, these investments in TPRM programs are not being fully realized through effective risk reduction, so what gives? The survey results indicate that this may be classic checkbox compliance scenario. According to respondents, regulatory compliance is the runaway top driver for development of their company’s TPRM program. Some 62% cited compliance as their number one motive for running a program, in contrast to just 22% who named executive mandates and 16% who cited customer requirements.

This likely explains why so many organizations today still rely so heavily on security questionnaires, as that’s the bare minimum required by most compliance regimes. The survey showed that twice as many organizations regularly utilize questionnaires – 84% – as compared to those (42%) who utilize a more verifiable assessment method like cybersecurity ratings. This is in spite of the fact that only about one in three TPRM professionals actually believe questionnaire responses.

Clearly there’s more work to be done. The good news is that the forces at play within the TPRM world are following a maturity playbook that most cybersecurity and risk professionals know well.

Tags: Third-party risk management, TPRM