Brad Hibbert is the Chief Strategy Officer and Chief Operations Officer at Prevalent Inc., a company specializing in eliminating security and compliance exposures tied to third-party vendors and suppliers. Tom Fox welcomes Brad back to this week’s show to explore and discuss a study Prevalent recently released entitled, “The 2022 Third-Party Risk Management Industry Study”.
Third-Party Risk Management Industry Survey
Brad reveals that Prevalent Inc. has been working on the “Third-Party Risk Management Survey” for approximately three years. To gather data on the subject, they send the survey to thousands of professionals who are focused on third-party risk management, and who also have a background in security. When the results come in they are categorized, analyzed, and observed for any trends. Tom asks Brad what was the overall assessment of third-party risk management he determined from the survey. “I think third-party risk management is certainly getting more awareness within companies and within executive teams within companies,” Brad replied. He also noticed that both IT and non-IT risks are major concerns for the respondents.
Key Observations About the State of Third-Party Management Risk Today
Tom asks Brad to further analyze and discuss the key findings of the survey. These are the key observations:
- “Organizations are paying more attention to non-IT security risks but not enough.” Brad explains that programs involved in investigating IT threats are starting to acknowledge the non-IT threats as well. He says “It is no longer just about IT vendors, so organizations are trying to get a broader visibility across that broader supply chain of IT vendors and non-IT vendors, and they’re also trying to get a broader visibility of the types of risks that they’re looking at.” Brad sees this as a positive trend in the third-party risk management industry.
- “Third-party risk management may (finally!) be getting more strategic.” Tom knows that IT professionals and compliance professionals understand the gravity of third-party risk but wonders if higher-level executives see it the same way – this is an issue to be dealt with strategically, he points out. Brad explains that 31% of respondents indicated that they were impacted by a third-party data breach. These incidents will cause entire organizations to raise awareness of third-party risk and take it seriously. He remarks, “People from security, people from procurement, people from contract, legal and compliance are trying to understand how they can get a holistic view of this concern around vendor risk to minimize it throughout that vendor life cycle.”
- “Manual methods for assessing third parties persist but dissatisfaction runs high.” Unfortunately, most companies are still solely fixated on their IT main vendors and security risks, and they believe that they can simply use manual methods like emails and spreadsheets. However, as your third-party risk management grows, you can no longer successfully use those methods as they “do not examine the risks and remediate those risks with the vendors efficiently.”
- “Organizations are concerned with increasingly damaging third-party security incidents but are using disparate tools to detect, investigate and resolve exposures.” Brad says “High profile impactful data breaches are certainly raising awareness of the problem and it’s causing more organizations to monitor third parties for these types of data breaches.” However, the number of successful breaches over the pandemic suggests that organizations are not using established tools to fight the threats.
- “Organizations are waiting over two weeks for third-party incident resolution.” Brad explains that most companies do not have a third-party breach response process in case of an emergency, so it takes a while for companies to identify the issue and begin the process of mediating those risks.
- “Third-party risk audits are getting more complex and time-consuming.” Brad states, “42% of respondents state that they are audited yearly for their third parties and when they are audited, respondents are indicating it takes between a week and one month to procure evidence to meet that regulatory audit.” From that data, it was determined that audits are costly and time-consuming because most companies are trying to run grandiose third-risk management programs on less adequate systems.
- “Third-party risk management discipline falters as vendor relationships progress.” From the survey, it was determined that as vendor relationships progress, the power imbalance between vendor and organization switches, leaving all the organization’s data and information exposed to the vendor, increasing the chances of data breaches.
Resources
Brad Hibbert | LinkedIn | Twitter
Prevalent Inc. | Third-Party Risk Management Study