Gartner highlights four actions companies should take to increase effectiveness in Third-Party Cybersecurity Risk Management (TPCRM)
Despite increasing investments in risk management of cybersecurity third party (TPCRM – Third-party cybersecurity risk management), 45% of organizations have experienced third-party-related business disruptions in the past two years, according to research from Gartner, a world leader in business research and advice.
“Third-party cybersecurity risk management is often resource-intensive, overly process-oriented, and has little to show for it in terms of results,” he said Zachary Smith, Researcher at Gartner. “Cybersecurity teams struggle to build resilience against third-party-related disruptions and to influence third-party-related business decisions.”
The research was carried out in July and August 2023, involving 376 senior executives who work in cybersecurity risk management for companies across different sectors, geographies and sizes.
According to Gartner, successful management of third-party cybersecurity risks depends on the security organization's ability to deliver three outcomes: resource efficiency, risk management and resilience, and influence on business decision-making. However, companies have difficulty being effective at two of these three outcomes, and only 6% of organizations are effective at all three.
Source: Gartner (December 2023)
Four Actions for Security Leaders to Manage Third-Party Cybersecurity Risks – Based on the survey results, Gartner identified four actions that security and risk management leaders should take to increase their effectiveness in managing third-party cybersecurity risks. The research found that organizations that implemented any of these actions saw a 40 to 50% increase in TPCRM effectiveness. These actions include:
1. Regularly review how third-party risks are communicated to those responsible for the third-party relationship: Chief Information Security Officers (CISOs) need to regularly review how well the business understands their messaging about third-party risks to ensure they are providing actionable insights into those risks;
2. Track third-party contract decisions to help manage risk acceptance by business owners: Business owners often choose to engage with third parties even if they are well-informed about the associated cybersecurity risks. Tracking decisions helps security teams align compensating controls for risk acceptances and alert security teams to particularly risky deals that may require greater cybersecurity oversight;
3. Perform third-party incident response planning (e.g., procedure manuals, simulation exercises): The effectiveness of TPCRM goes beyond identifying and reporting cybersecurity risks. CISOs must ensure that their companies have robust contingency plans to prepare for unexpected scenarios and recover well from possible incidents;
4. Work with critical third parties to improve your security risk management practices: In a hyperconnected environment, the risk of a critical third party is also a risk for an organization. Partnering with critical third parties to improve your security risk management practices promotes transparency and collaboration.
EN 
PT 
