Recently, RiskRecon, a Mastercard Company, founder Kelly White, sat down with Sam Olyaei, Director at Gartner Research, and Errol Weiss, Chief Security Officer at Health-ISAC, to discuss their client’s experiences regarding recent trends in third-party risk management. Given the uptick in high-profile cybersecurity incidents that stemmed from third parties, 4th parties, and Nth parties, Kelly asked these experts if they thought CISOs and Board members are paying more attention to third-party risk management now. Here are their thoughts:
Kelly White: Has the recent rise in third-party cyber incidents put third-party risk more on the radar of CISOs or Board members? Has the attention on the third-party risk front increased over the last five years? Where are we at today and why?
Sam Olyaei: I'll answer that with one statistic, and then maybe Errol can add some more color to it. In our (Gartner, Inc.) latest Board of Directors survey, in which, we actually go out and survey Board of Directors, the top two risks that they care about the most in the organization are number compliance risk and cyber risk. And that's cyber risk of all kinds. If you look at that same survey three years ago, cyber risk wasn't even on this list.
Kelly White: I'm curious, how many risk types are on the list in the survey? Is it five? 10?
Sam Olyaei: There's probably about seven or eight of those in there. I have a hypothesis that says the reason compliance and cyber are at the top of that list is that those are the two types of risks that board members specifically have no control over or feel like they have no control over.
Errol Weiss: I think in the last five years, especially in the healthcare sector, from what I've seen here specifically in the last three years, the ransomware players have done a terrific job of providing awareness, unfortunately, about the value of the data and the number of breaches that have happened. And then, of course, the impacts from ransomware across the sector when it comes to patient safety. It’s definitely getting attention at the Board level, and I think, to Sam's point, the kinds of questions that I hear them asking are: Are we safe? Do we know who our critical suppliers are? Where are the risks in those third-party suppliers? Are there any concentration risks that we need to be aware of? And then, are we as an organization spending the right amount of money? What's our risk posture?
Of course, the answer to all of those questions is no.
We summarized the key insights from their conversation in a new paper “Trends in Third-Party Risk Management.” Check it out today!