The Risk Management Blind Spot

An ever-growing area of concentration in risk management is identifying and mitigating the risks that third parties introduce to an organization – and perhaps equally important, ensuring that third parties don’t introduce unmeasured risk. One might think that third-party governance systems, sometimes used for vendor assessments, could be used to manage the identity and access management aspects of the vendor relationship. However, most security vendors do not consider identity to be part of third-party management. In fact, organizations realize the risk of third parties the moment they provision access, whether or not it is measured, mitigated, or even known. Today it’s common practice for risk management teams to assess a third party’s risk controls by evaluating responses to a Standardized Information Gathering (SIG) questionnaire. Unfortunately, these vendor security assessments based on SIG answers may give the organization false confidence in a vendor’s actual security posture, when in fact the assessments:

• Are fairly superficial because they rely on an honest, accurate response from the vendor

• Focus only on the vendor organization’s practices which results in a risk management blind spot for risks related to the vendor’s users who access organization resources

In addition, onboarding processes are usually automated for employees but are highly manual for third party users. While not ideal, manual processes may meet the minimum needs of smaller organizations. However, for larger or highly regulated organizations, these manual processes are time-consuming, costly, error-prone, and expand the potential for additional risk associated with third-party users. To effectively manage third-party risk, these organizations require a purpose-built, scalable solution that improves the granularity, transparency, consistency, and agility of their third-party risk management program.



Request Free!