Enterprise third-party risk management (TPRM) programs have been around for a half-decade or longer, and at this point most large organizations run one. However, many of these TPRM programs only provide a thin veneer of cybersecurity assurance.
Recent data indicates that they are inconsistent (at best) when it comes to digging deep enough for clues of security issues lurking in the enterprise’s vendor and partner ecosystem. Even more troubling? Very few TPRM security assessments result in remediation action.
So TPRM programs are nominally jumping through hoops to ask vendors about or observe their security controls. But few of them are actually doing much to work with their vendors to bolster the security of these third-party IT environments.
This was one of the key findings of a recent report compiled by Cyentia Institute on behalf of RiskRecon. Conducted among 154 TPRM professionals operating in a range of industries, the study showed that a whopping 81% of respondents admit they rarely require remediation from third parties after an assessment.