Security News > 2020 > November > The current state of third-party risk management

Third-party risk management professionals increasingly do not trust that security questionnaires provide sufficient information to properly understand and act on their third-party risk, according to RiskRecon and Cyentia Institute.

As a result, the study found more enterprises are moving towards data-driven third-party risk management programs.

"In the mass outsourcing of systems and services to third parties, enterprises have dramatically increased the scale and complexity of their risk surface. This study reveals that risk professionals widely are of the opinion that questionnaire-based assessments are sufficient for managing third-party risk. The magnitude of risk in the hands of third parties necessitates much better performance visibility than questionnaires can provide," said Kelly White, CEO, RiskRecon.

"Increasingly, third-party risk teams are adapting the risk management strategies deployed to protect their internal enterprise - rapid acquisition and analytics of objective data that reveal the reality of the quality of each vendor's risk management program. For example, rather than just trusting vendors' word that they are properly patching systems, they are using security ratings services and other information sources to objectively assess the quality of their patch management program."

"While security questionnaires remain a common program pillar, companies are seeking to achieve better risk outcomes more efficiently by leveraging objective assessment data from services such as security rating solutions. This is where the future patterns and practices of third-party risk management will be defined."

News URL

http://feedproxy.google.com/~r/HelpNetSecurity/~3/SM3rBh6Edro/