Is your company third-partying too hard? Find your ‘must avoid’ outcomes

Sometimes a party gets too big, and it’s tough to figure out where everybody came from, especially that dude who showed up with your friend and still hasn’t taken his shoes off.

Companies, too, have their own gathering of suppliers, vendors, and partners. And some will spill (metaphorical) salsa all over your (proverbial) couch.

A report from the risk-management firm Cyentia Institute and cybersecurity rating company SecurityScorecard found that 98% of surveyed organizations have relationships with at least one vendor who suffered a breach in the last two years.

The 230,000-plus organizations had an average of about 10 third-party partners. The information services sector had the highest number of connections: 25.

When there’s too much third-partying, some risk-specific steps can help organizations make a giant contractor web feel smaller and easier to manage. One helpful measure: defining business priorities, which have a way of revealing “must avoid” outcomes.

“Growth targets, new markets that you’re entering, new products that you’re launching, your corporate objectives, goals, initiatives, and projects. The mirror of those is all the things that can’t go wrong,” said Chris Matlock, VP, advisor, and research leader for risk and corporate strategy at the market-intelligence firm Gartner.

Suh-wiiiing, batttah! A recent Gartner survey found that 84% of 100 executive risk-committee respondents said that third-party risk “misses” resulted in operational disruptions.

Some recent contractor whiffs led to unexpected downtime in the airline industry, affecting the FAA and Lufthansa.

Companies have experienced so many third-party risk events that the concerns have reached the board level, said John Wheeler, senior advisor at the risk-management platform AuditBoard.

“A lot of companies, in my estimation, have gone to market with new digital products and services to deliver things in newer and safer ways as a result of the pandemic. But in their haste, they really haven’t identified and managed the risk as they should,” Wheeler told IT Brew.

What’s your top 5? There are numerous ways for organizations to check-in on third parties and scout for risk indicators, mainly by asking questions and getting answers: Has an onsite visit been conducted? What’s the supplier’s current financial state? Are they outsourcing their own IT?

Vendor risk-management tools from companies like OneTrust, UpGuard, and Secureframe gather data related to compliance and controls.

Companies can avoid ERP data overload by determining priorities and enforcing audits accordingly, said Matlock. Maybe retention and career planning is a top priority, for example—and any third parties supporting the privacy effort should be monitored with the most attention.

The third-party party can otherwise get out of hand.

“Organizations get lost in the detail of the third parties, and they don’t raise it back up to, “Well, these are the 5 things we have to do this year.” And if I crosstab them across our third parties, “Are there 10,15, 20 of them that are much more important than the rest? And those are the ones I should pay attention to,” Matlock told IT Brew.—BH