Far, Wide, and Worrisome: Third-Party Blind Spots Bring Risk

This blog was originally published by OneTrust here.

Whether it’s legal, procurement, human resources, security — every business unit within an organization is optimizing a network of vendors, also known as third parties. Those vendors, while specializing in specific functions that boost speed and production for their own clients, are as equally susceptible to risk in any form, be it security breaches or due diligence non-compliance.

And that can be a huge problem.

In partnership with OneTrust, CyberRisk Alliance conducted a survey of 301 IT professionals in the fall of 2021 to understand just how noisy and clouded the third-party risk landscape has become in the wake of a global pandemic with the need for digital solutions to grow exponentially.

Third-party risk is an ever-evolving threat. Download this white paper to learn more.

What is clear from the survey is there are a ton of blind spots across these individual networks, and the majority of businesses are unable to address them.

What can you see in the supply chain?

The survey encompassed a mix of businesses from small (1-99 employees) to enterprise-sized (10,000+ employees), ranging in industries from manufacturing to retail to finance and healthcare, among others. According to the survey, 44% of companies are working with a network of third parties in the double digits, with 24% working with more than 50 vendors.

What companies are struggling with, however, is not just what they can’t see in the network, but what critical information is accessible to those vendors. Over the past two years, 60% of businesses suffered an IT security incident due to a third-party partner with access privileges.

According to the white paper, Third-Party Risk: A Turbulent Outlook:

• 59% of businesses can’t see its most critical third-party direct dependencies
• 74% can’t see the full map of interdependencies across all tiers in the supply chain

Who’s in charge of vendor risk?

With all that in mind and the growing third-party network for each business unit within an organization, who’s in charge?

The stakeholders who own the third-party risk management (TPRM) programs need to take a collaborative approach to assess their vendors and understand each one’s true impact on the business. In order to break down those silos, the same stakeholders need to reach across the aisle and collaborate with critical risk counterparts such as IT and security, privacy, ethics, and even Environmental, Sustainability, and Governance (ESG).  

Who owns vendor risk?

Answering the question of ‘who owns third-party risk’ is not about pinpointing a specific person or role within the organization. Rather, all businesses and their stakeholders have a hand in making sure third-party risk management is both in place and informed on how outsourced products, assets, and services enable associated business units within the company.