Very recently RiskRecon and Whistic published a report that examines why and how investment in security continues to rise, especially around vendor risk management. There were a number of key stats worthy of pointing out from the study, but we wanted to showcase a few, including 60% of businesses have incorporated more technology to manage their cybersecurity and third-party risk in the last five years than in all previous years, 80% of businesses have a cyber risk monitoring and management program in place, 64% of respondents from our survey indicated that their cyber risk program was either advanced or mature and 71% of respondents report program metrics to internal leadership or outside of security business functions.
Kelly White (RiskRecon founder) and Jake Bernardes (acting CISO of Whistic) discussed trends in cyber risk and how you can maximize your investment in vendor risk management technology to keep your company safe and secure from third-party threats. Below you will see their thoughts captured on the current state of third-party risk management.
Kelly White: I think that the state of third-party risk management is largely a reflection of the underlying conditions of the broader cybersecurity risk landscape and the management of it at companies across all industries. I say that because when you're thinking about third-party risk management, most companies are really thinking on a very macro scale, which must be taken into consideration. What are some of the underlying themes that we have to deal with? There has been an increase in spending on cybersecurity technologies to manage cybersecurity risk better. That's good. Gartner's latest spend forecast showed a 12-plus percent annual growth rate through 2026, where the world will be spending about $270 billion on cybersecurity but we're working from quite a deficit.
Firms have increased spending, but a lot of that is spent on technical debt or cybersecurity debt. And not everybody has a tremendous debt. There's a lot of organizations that are doing well, and there's a subset of companies, and according to our stats, around 33% of organizations that are doing really, really poorly, like manifesting gross negligence that is easily observed in the way they deploy and manage and configure their internet-facing systems. And so how did we get here? Where are we just at a fundamental theme level? A lot of organizations have been doing the right things, and those are the companies that you want to be doing business with of course, but there are still a lot of firms in deficit. That is one theme to consider as we examine the state of TPRM.
The other theme is that companies used to be able to survive. It wasn't a big deal if a third party had a significant deficit in the past, maybe 10 years, not so much, but today and over the last three years with the press of ransomware attacks and the monetization of cyber-criminal activity, it's just increased the threat pressure to the point now that those deficits really matter. There’s a lot of catching up to do. I think that it's important to set out those themes which underlie third-party risk management, you have this broad ecosystem of companies of different sizes, geographies, different cultures, different industries, and then on top of that, you have a subset of those objectively we know have some significant cybersecurity deficit. We're really seeing an increase in undesirable risk outcomes that are affecting not only the third party but in a large scale, their customers. And in some cases, hundreds of customers in one shot.
Jake Bernardes: When I was asked as a consultant to do kind of VRM type engagements five years ago, five, seven years ago, the numbers mentioned at the outset would've been nowhere those. 71% reporting internal metrics of leadership, that would've been 30, 40%. The fact that they have a kind of cyber risk problem, particularly with a VRM focus was mature at 64%, 20, and 30%. The fact that there's live monitoring going at 80% is very impressive. These are positive, powerful numbers. It is important to step back to understand how did we get here and why is it now more relevant than it's ever been? You could historically just go, "They're vendors, who cares?" Right? I buy their product, I put it into my infrastructure, I secure it, I build the walls, I build the chains, I put the government on the toll rates, and I know it's solid and protected and secure. That isn't true anymore.
We all now use so many SaaS tools, that the way that we buy and consume software products has changed dramatically. I look at us as a company, Whistic, and I think 90, 95% of what we kind of have as a company is all SaaS. Not only that, but we sell a SaaS product, and most entities now do. Particularly when you look at kind of how the market wants you to go towards an IPO, whatever it might be, or an Excel opportunity that you know that SaaS is the future and the way to do them. So, what's left is all companies consuming SaaS and all companies want to sell SaaS to get into the tech space. And that means suddenly our ecosystem is much more tightly knit than it was. Those products that I used to buy and put in my infrastructure, I'm not taking my data and putting in their infrastructure.
And suddenly that changes the risk profile a lot. That means that I've got to make sure I do a lot more validation and verification of the security posture of that business. If I'm going to place my customers, my end users, and my reputational data there, I want to know that they're secure. I want to understand the vulnerabilities that they've got and understand how they're tackling and mitigating them. I think that's key. If you talk about how we got to where we got to, we changed how we consumed the new software entirely from how we did a decade ago. And that means we need to entirely change how we approach vendor risk from how we did a decade ago.
KW: There are a lot of businesses that appear to be doing cybersecurity hygiene and risk management from what we can see on the outside quite well. There is, as I said, about 33% that are just negligent in there. That is why I think where we're at today is okay, if you have these data points and if, and I think the reality bears those out, how do you manage your risk in your supply chain, where you know that maybe seven out of the 10 are fantastic and the trick then is how do you quickly understand that and then direct your attention, discovering that the problem areas and direct your attention to where it's really needed. There are a lot of organizations doing good things well and so it's a good set of stats that I think accurately reflects where we are at. And it's in that gap below 100%, where you really have that large concentration of risk.
JB: It's important then to understand what those companies represent. If we are saying 70% are good and 30% are bad, then it's understanding what do I do with those? You must take an informed, educated approach to kind of supply chain risk. Are these firms managing risk poorly just holding my marketing assets? Are they holding end-user customer data or PII stuff? It might be relevant to GDPR or CCPA or a regulatory element. They could expose us to breaches or fines. These thoughts all need to be in play. It's not just understanding what is the risk posture of various entities in my supply chain, but what is my relationship with those entities? Because that weighs massively on how much importance is placed on the score, metric, or understanding I have of their risk posture.
Download the report here to see the full results from our study and check back to get more of their thoughts on our blog!