Continuing along our journey of balancing third-party risk, we dive into the measurement of third parties - as observed by the data science team at Cyentia Institute - using the RiskRecon portal to examine the cybersecurity hygiene of vendors in our research.
Breaches among third parties are certainly an indicator of security posture but not a direct measure of it. We turn to measuring this now, and we’ll do this using two different methods. The first uses RiskRecon’s cybersecurity risk rating for each vendor, and the second examines the density of security findings detected during those assessments.
Cyber Risk Ratings
RiskRecon’s risk ratings are based on continuous assessments of the prevalence and severity of security issues affecting and the value at risk for the systems in which those issues exist. They provide a concise way to pinpoint concentrations of risk across the third-party ecosystem. Specific to this study, they offer a simple comparison of security posture among primary organizations and vendors in their risk management portfolios.
If we simply compare the breakdown of scores among first and third parties in Figure 7, the results aren’t all that different and convey a false sense of relative equity among organizations. But that is often how statistics work. With so many organizations in each group, results inevitably trend toward the average.
Overall comparison risk ratings between primary and third parties
Instead, we’re more interested in comparisons made within the context of each organization’s third- party ecosystem. Those results are more telling. We found that 99.5% of organizations have at least one vendor with an overall risk rating of D or F. Typically, though, less than 10% of the third parties monitored by each primary firm score Ds or Fs.
But keep in mind that first parties get D and F ratings too. For that reason, we think it more enlightening to compare the equity of risk ratings at the relationship level. Here, we learn that 86% of organizations have at least one third party with a risk rating worse than their own. If we extend the first-to-third-party rating comparisons across the entire vendor portfolio, we get the chart below.
Relative comparison of risk ratings within third-party relationships
A quarter of B2B relationships are balanced in the sense that first and third parties have the same risk rating. In what is likely to be an eye-opening and uncomfortable finding for many, organizations have a worse security posture than their third parties in just under half of all relationships we assessed. We can’t help but think of the adage, “Every time you point a finger in scorn, there are three fingers pointing back at you.” But third-party risk management is mostly about that first finger, so let’s keep our focus on that for now.
Per image above, just under 3 in 10 of all B2B relationships involve a third party with a worse risk rating than their primary sourcing firm. That varies among portfolios, of course, which is why we include graph below for additional insight. Here, we see that the majority of firms fall at or below that 27% overall mark for relatively less secure vendors. But we also see many organizations for which over half their third-party portfolio has worse risk ratings than their own.
Before leaving the topic of relative risk ratings among parties, we’ll note an interesting observation made in running these portfolio-level comparisons. Organizations with larger vendor portfolios tend to have a significantly lower proportion of worse-rated vendors. This may be due to more robust third- party risk management programs necessitated by larger supply chains. A muscle exercised is a muscle strengthened.
Proportion of relationships in which third parties rate worse than first parties
You can download the full report here to get access to all of the key learnings from our research. Additionally, if you would like to gain insight into the cybersecurity hygiene of the vendors in your ecosystem, you can get a free 30-day trial of the RiskRecon platform.
Stay tuned for the next piece in our blog series on Balancing Third-Party Risk.