Virtualization Technology News and Information
VMblog Expert Interview: Prevalent Shares Results of its 2022 Third-Party Risk Management Study


Prevalent recently announced the findings of its 2022 Third-Party Risk Management Study, which demonstrates that third-party risk management (TPRM) is at a crossroads-organizations can continue with existing insufficient pathways, or improve TPRM processes to get on the path to success.

To learn more about the study's findings, including current trends, challenges and initiatives impacting TPRM practitioners worldwide, VMblog spoke with Brad Hibbert, COO and CSO at Prevalent.


VMblog:  What are the key findings-both surprising and expected-of the study?

Brad Hibbert:  I was expecting executives and the board to have more visibility into third-party risk, especially considering all the high-profile third-party and supply chain breaches that happened in the last year. Think: Kaseya, Toyota, and SolarWinds.

What surprised me though was that despite all the executive attention on third parties, so many security and risk management teams (45%) are still reliant on spreadsheets to report on their third-party risks - and that number increased over last year! All that manual work must make it so complex to respond quickly when there is a third-party data breach.

Speaking of third-party data breaches, another surprise was the number of companies that take either a passive wait-and-see approach or don't really have a third-party incident response program in place - 31% in all. I don't know how organizations can justify that kind of approach when the consequences are so apparent.

VMblog:  TPRM programs are increasingly top-of-mind for organizations, and yet TPRM is at a crossroads. Why is this?

Hibbert:  We're seeing an inflection point in third-party risk management. There was a time when TPRM was focused solely on IT vendor risks. And this was natural because of the attack surface that third parties present to your own systems and data. But I would argue that third-party threats to businesses have evolved into physical ones in addition to the logical ones.

As an example, the Russian invasion of Ukraine. If you had a supplier or vendor in Ukraine, what kind of assurance do you have that they will a) still meet their obligations, or b) have a work around? That's a supplier business resilience issue and not an IT security issue. And, do you have a picture of your suppliers' suppliers and whether they're run by a sanctioned individual? This is what we mean by crossroads - the old way of TPRM only tells half the story, and companies need to evolve and look all types of risks holistically - IT and non-IT alike.

Let me illustrate further using some "but" statements. There's the current path, and a better path. For example, companies are paying more attention to non-IT security risks, but not enough. Third-party risk might be getting more strategic, but manual methods hold them back. Companies are concerned about third-party incidents, but their toolsets to detect and manage them are outdated. And, companies are assessing risks at early stages in their lifecycle, but not much in the later stages.

VMblog:  What is the most common TPRM blindspot for organizations?

Hibbert:  How a company responds to a third-party data breach or other security incident. In the first question, we talked about 31% of companies either taking a passive approach to incident response, or not even having a third-party incident response program in place at all. The study also showed that it takes about 2.5 weeks from when an organization learns of a third-party incident to when they receive confirmation of remediation. A lot can happen in that time period.

Instead, we recommend taking a more proactive approach that includes consistent IT security controls audits and continuous cybersecurity monitoring for validation as a preventative measure. The more you know earlier, the faster you'll achieve a favorable resolution. You'll never stop every incident, but if you can shorten your mean time to detection and response, it mitigates the negative impacts.

VMblog:  Knowing your blindspots is one thing; addressing them effectively is another. What is the main sticking point organizations face when considering an upgrade to TPRM programs?

Hibbert:  I'm a firm believe that there are two reasons behind every decision: will and resources. Sometimes organizations have the will to change, but can't muster the resources. Or, they have the resources, but lack the will.

Companies in the former category need to seek help building their programs foundationally through best practices, or maybe offloading the work to expert services providers to manage their programs on their behalf to account for limited resources.

Companies in the latter category need help prioritizing third-party risk automation and that typically happens when a big third-party breach threatens the company. The board gets involved and suddenly you have the will and the resources.

VMblog:  40% of organizations are paying more attention to non-IT security risks. How do you define "paying more attention" and what are the main reasons the majority of organizations continue to overlook non-IT risks?

Hibbert:  We asked organizations what risk types they actively assess or monitor. 40% of companies indicated that they track risks like fraud, contractual risks, compliance and ethics, and reputational and financial risks - all of them in the "non-IT" bucket. Others, like modern slavery, anti-bribery and corruption, anti-money laundering, and ESG not so much.

Companies overlook non-IT risks because they can't quantify the risk like you can an IT security exposure, and, frankly, they may not be required to track non-IT risks. However, a company's tune will typically change when one of their suppliers is caught up in some sort of legal action, negative regulatory action, or bad press, or when there is a mandate to report on risks such as ESG or slavery in their extended supply chain. Being reactive to those risks puts you in a bad position.

VMblog:  Less than half of organizations track risk in later stages of the vendor lifecycle. Why does tracking decrease as the relationship lifecycle matures, especially during offboarding and termination stages, and what are the ramifications of this?

Hibbert:  It comes down to visibility - there is a lot of visibility into new vendors and suppliers at the beginning of the relationship. You have to ensure the contract has the right terms to protect the company. You have to make sure the new vendor can deliver and they can pay their bills. You need to make sure they don't introduce new cyber risks into your environment. You have to make sure there isn't legal action against them or a bad regulatory finding. You have to check their reputation. And so on.

Once established and you've got a good working relationship with the vendor or supplier, maybe you're only looking at risk annually during a contract renewal. Is there someone watching whether SLAs are being met? Is that information widely shared to inform contract renewal decisions?

With offboarding, if termination procedures aren't followed and you haven't validated that the vendor destroyed your customer data, or terminated physical or logical access to systems and data you could end up with a regulatory finding and associated fines levied against you if that data is compromised.

VMblog:  Associated risks with third-party vendors and suppliers are inevitable. What does this mean for the state of the supply chain going forward, especially in light of already continuous cyber disruptions?

Hibbert:  There will always be risk, and you will never get to zero, so it's all about adjusting your risk appetite accordingly. Your risk appetite should be different for every third party you work with. This happens through a tiering and categorization exercise. For example, the folks that supply wiring to your final product may present mostly limited risk to your company due to the ability to swap out wiring suppliers pretty easily. But the folks hosting your data center or supplying the essential widget to your product should be high-risk because switching costs are so high and disruption is inevitable. The bottom line is that you can't see every supplier through the same risk lens; you have to bucket your suppliers and treat them accordingly.

VMblog:  For organizations wanting to get on the path to TPRM success, what areas of improvement are most strategic?

Hibbert:  First, you have to look at third-party risk holistically - everything from contractual, reputational and financial risk to cyber risk and ESG-type risks. That complete picture is much more contextual. Next, and this goes along with the first point, look at uniting your toolsets. You've got a handful of tools tracking and managing risks of multiple types in your organization, and they're likely operating in siloes anyway. Tying them together will help you come audit time.

Third, you have to get more proactive about third-party incident response. By proactive I mean have a plan, people, processes and tools in place and continually test them so that when the next SolarWinds happens you can quickly find out which of your third parties is using that solution and what their remediation plans are. The board is going to ask, and waiting a couple weeks for an answer won't sit well with them. Trust me on that one.

Finally, you have to close the loop on the third-party lifecycle and have processes and tools in place to continuously monitor vendor performance and offboarding tasks. Don't get comfortable with an existing vendor relationship because they haven't been breached.

VMblog:  This has been great! How can VMblog readers get their hands on the full study to learn more?

Hibbert:  You can go to to download the full eBook and get a neat infographic that summarizes the key points.


Published Friday, May 13, 2022 7:30 AM by David Marshall
Filed under: ,
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<May 2022>