As, we move towards more and more regulated environment, compliances to these regulations comes as a overhead for the organization, as well as their 3rd and 4th parties as well. How should third party risk management practices evolve to be smoother and more efficient?

367 views1 Upvote2 Comments

Sort By:

Oldest

CIO2 months ago

TBH I don't think 3rd or 4th party risk should be treated any differently to in house risk. The risk needs to be understood, documented and tracked/managed and then any associated risk appetite should reflect the ability to spend against that risk appetite and/or have governance of the risk. For example having a LOW risk appetite for Cyber events is fine but this means lots of money needs to be thrown at reducing your Cyber risk factors, and many companies can't afford this level of spend on Cyber so having a LOW risk appetite when you can't afford it is pointless. The same goes for 3rd or 4th party risk. If you do not have full control of the risk then you have to adjust your risk appetite and associated activities but if a 3rd or 4th party risk is to great for your organisation to tolerate then the risk exposure needs to change...suggesting the 3rd or 4th party needs to change

Please join or sign in to view more content.

By joining the Peer Community, you'll get:

Peer Discussions and Polls
One-Minute Insights
Connect with like-minded individuals

Group Director of Information Security in Banking2 months ago

3rd and 4th parties risk management from cyber perspective, if done accordance to boiler plate templates of NIST/ISO etc., needs a mini-department in itself which is neither sustainable nor an ROI can be shown to business.
An effective middle ground needs to be put in motion which is part of integrated digital risks management framework.

1. Classify business processes in order of criticality (through business impact analysis as part of BCM process)
2. Map critical processes to underlying applications.
3. Demarcate applications into IaaS / PaaS / SaaS.
4. Identify using cloud shared responsibility model, those business critical applications (and their underlying stack) whose daily operations and management is part of customer responsibility.
5. Demarcate these customer side responsibility holders between inhouse vs 3rd/4th parties.
6. Subject these third parties to risk management framework.

Steps 1-5 should be part of inventory/asset management process undertaken by IT and form part of IS governance.

Step 6 can lie with infosec / risk management teams thereby heavily reducing the efforts and mapping those efforts back to business process for showing ROI of time/money spent.

Content you might like

In the past 6 months, have you seen an uptick in targeted cyberattacks on telehealth devices and networks?

Security & GRC Network Threat & Vulnerability Management+2 more

No Increase16%

1-5% increase47%

6-25% increase24%

26-50% increase6%

51-75% increase1%

76%+1%

Other2%

View Results

1.7k views1 Upvote

If you have had a negative experience with a vendor (without naming the vendor), what did you learn from it?

Financial Management Vendor Management

VP of Global IT and Cybersecurity in Manufacturing6 years ago

Have clear business requirements up front, make sure the proposal includes items such as scope, timeline, cost, resources.

We are a large manufacturing company with over 17,000 associates, about half of whom have company-provided cell phones. We average two lost devices per week, which seems low, but executive management is concerned and wants to know if our numbers are typical compared to other companies. My questions are: 1. Do other companies also struggle with lost or stolen devices? 2. What is the average number of lost devices per week? 3. Are there repercussions for associates who lose devices due to carelessness or negligence?

Mobile Device Management (MDM)Mobile Devices Security+2 more

VP of IT in Retail3 days ago

My previous organization implemented a strict one-strike policy for lost or damaged devices. While the first incident was considered an accident, repeat offenders were required to reimburse the company for the lost or damaged ...read more

82 views1 Comment

Are you investing security budget in protecting key employees and executives from spear-phishing and social engineering attacks through their personal social media accounts?

Yes, visibility for protecting key employees and executives on social media is part of our cybersecurity budget.56%

No, we do not have a solution or visibility to protect key employees on social media.38%

No, but we plan to budget for key employee and executive protection in the future.5%

View Results

1.5k views2 Upvotes

Any recommendations for a comprehensive GenAI learning platform?

Engineering Data & Analytics Security Strategy & Roadmap+4 more

IT Manager in Constructiona month ago

Hello,
the topic is so broad, what are you focused on?