In the final blog of our three-part series, guest authored by Forrester senior analyst Paul McKay, we discuss what third-party risk information is being shared with board/executive members, key measurements when building a strong third-party risk program and examples of how organizations are using cybersecurity risk ratings data today.

McKay-v5RiskRecon: What information is typically shared with a board/executive team regarding third-party risks?

Paul McKay: At present, you are seeing information being shared that is very audit centric and more about counting audit issues of certain severity that come up via third-party risks. There is also likely to be a focus on a small number of high-risk suppliers that are crucial to the delivery of substantial components of overall business revenue. I am beginning to see some security executives use ratings to show the cyber posture of the supply chain more holistically to give a sense of the security capabilities of key third-party suppliers as well. This is earlier in its development, but boards like the simplicity of the concept and it has helped level the communication between technical security professionals and a non-technical business audience. I see this continuing in prominence in the coming years as a component of board-level communication about third-party risk issues. 

RiskRecon: Could you describe some key measurements or results that an organization should look to reach when establishing a strong third-party risk management program?

Paul McKay: In my mind, the key measurement here is risk reduction achieved through driving remediation action with third parties. From a board perspective, this is but one data point in how they assess third-party risk. If the overall risk posture is reduced, because suppliers risk postures are getting lower, this helps. This can be measured by looking at something like a rating as one way of doing it, or qualitatively by tracking the reduction in the frequency and severity of security issues picked up from the third-party risk program. I think ultimately what the board wants to be assured of is that a third-party security risk materializing does not substantially impact the ability of the business to generate revenue and deliver its services to its customers.

 RiskRecon: For security leaders seeking to use ratings data in their processes, how have you seen this done and what are some of the best practices for operationalizing this technology?

Paul McKay: Security leaders are presently looking at how they map not just the overall ratings but the detailed ratings data to controls. What they are looking to do is to see how the questionnaire responses, obtained from vendors, measures up to what the ratings data shows is really happening in their external footprint. So, if a vendor is saying it has a beautifully defined patching process, which is always up to date, but the ratings data shows that the external infrastructure is full of critical and high-risk vulnerabilities, then you know there is a consistency problem that you can investigate further. At present much of this effort is manual, so many security leaders are starting to explore integrations with existing GRC toolsets and other technology that they are using for their broader third-party risk management program.

Download this new report from Forrester, Cybersecurity Risk Ratings Market Outlook, 2020 And Beyond, to learn more about key trends and business cases you can expect over the next 12 to 24 months. This is a must-read for security and risk professionals.

Download the Report Now

Be sure to read part I and part II of the blog series.