Three fundamental steps to begin addressing third-party risks

June 21st, 2017

By Byron V. Acohido

Managing third party risk still does not still does not command a high priority in all too many organizations – even after the apocalyptic Target data breach of 2013 that routed through an HVAC vendor.

But that’s slowly beginning to change. There is a growing recognition of the sprawling exposures that are being shaped as companies increasingly outsource mission-critical IT functions to third parties – suppliers, contractors, hosted services and the like that require network access.

Some 75% of the IT professionals recently surveyed by the Ponemon Institute acknowledged that the risk of a breach from a third part is serious and increasing. And another survey of senior executives by Soha System’s Third Party Advisory Group linked 63% of all data breaches directly or indirectly to access granted suppliers and contractors.

I recently chatted at length with Brad Keller, Prevalent’s Senior Director of Third Party Strategy, about how regulators are moving to light a fire under companies to address third-party risk. We discussed how Prevalent and other security vendors have begun delivering innovative systems to help companies efficiently assess – and continually monitor — third-party risks.

One question Keller told me he gets consistently from CISOs at companies of all sizes is: ‘Where do we begin?”  We discussed three fundamental steps for addressing third-party risk:

Know your vendors

Start by compiling a complete and accurate list of all the vendors your company deals with and the specific services each provides.



“I continue to be amazed, in this day and age, how many companies cannot provide such a list,” Keller says. “They just have not done it. I’ll go in and say, ‘Who are all your vendors?’ And someone will say, ‘I don’t know. I guess there’s a list somewhere in procurement.’”

Any organization should be able to do this first step. Keller advises starting at accounts payable. “It’s not just about going through procurement contracts,” he says. “Accounts payable is really a fertile source of finding vendors you did not know about, because nobody works for free.”

Depending on the size of your organization and how decentralized it may be, making a comprehensive list of suppliers and contractors can take anywhere from a few weeks to a few months, he says.

Risk rate your vendors

The second step, then, is to rank all of your vendors by the level of access they’ve been granted to your network – and also the importance of the service they provide. A vendor who supplies marketing fliers doesn’t need deep access and can be quickly and easily be replaced.  But it would take time and effort to replace the hosted services vendor running your mission critical  applications, Keller notes.

In addition to improving security, risk rating vendors and services is a useful exercise that can  provide more operational clarity.

“It’s difficult only because people haven’t done it,” Keller says. “Three primary factors go into risk rating: what kind of data do they have; what kind of system do they access; and what are the availability requirements. And by that I mean if this vendor doesn’t provide me with their service, what does it do to my ability to deliver my services.”

Cull your vendors

The final step is to do due diligence about how good a job key suppliers are doing to protect sensitive information. “In risk terminology, you’re now down to assessing the residual risk that’s left over — by finding out how well those companies protect your data in the system,” Keller says.

Based on what you find out about each vendor’s particular security practices, you can then make an informed decision about whether to accept what’s in place or to request specific improvements. Or it may be time to take steps to replace the vendor.

These fundamental steps can be applied to companies of all sizes – operating in all positions in a supply chain. “This is an issue that all companies who rely on third party service providers to help them deliver goods and services need to be concerned about,” Keller say. “And if you’re a third party provider, you can expect that your clients, more and more, are going to expect you to mirror their third party risk programs.”

This article originally appeared on