Third-Party Risk Management Program

If you Google "third-party data breaches" you will find many recent reports of data breaches that were either caused by an attack at a third party or sensitive information stored at a third-party location was exposed. Third-party data breaches don't discriminate by industry because almost every company is operating with some sort of vendor relationship – whether it be a business partner, contractor or reseller, or the use of IT software or platform, or another service provider. Organizations are now sharing data with an average of 730 third-party vendors, according to a report by Osano, and with the acceleration of digital transformation, that number will only grow.

The Importance of Third-Party Risk Management

With more organizations sharing data with more third-party vendors, it shouldn't be surprising that more than 50% of security incidents in the past two years have stemmed from a third-party with access privileges, according to a CyberRisk Alliance report.

Unfortunately, while most security teams agree that supply chain visibility is a priority, the same report notes that only 41% of organizations have visibility into their most critical vendors and only 23% have visibility into their entire third-party ecosystem.

The reasons for the lack of investment into Third Party Risk Management (TPRM) are the same that we consistently hear – lack of time, lack of money and resources, and it's a business need to work with the vendor. So, how can we make it easier to overcome the barriers to managing third-party cyber risk? Automation.

The Benefits of Automation

Automation empowers organizations to do more with less. From a security perspective, here are just some of the benefits automation provides, as highlighted by Graphus:

  • 76 % of IT executives in a cybersecurity survey said that automation maximizes the efficiency of security staff.
  • Security automation can save more than 80% over the cost of manual security.
  • 42% of companies cited security automation as a major factor in their success at improving their cybersecurity posture.

With regards to TPRM, automation can transform your program by:

Step 1 - Assess your vendors with Continuous Threat Exposure Management (CTEM)

Continuous threat exposure assessments include comprehensive assessments that incorporate the following:

  • Automated asset discovery
  • External infrastructure/Network Assessments
  • Web application security assessment
  • Threat intelligence informed analysis
  • Dark web findings
  • More accurate security rating

This is a more comprehensive analysis of third parties compared to just sending questionnaires. A manual questionnaire process can take between 8-40 hours per vendor, provided that the vendor responds quickly and accurately. But this approach doesn't allow the ability to see vulnerabilities or validate the effectiveness of the required controls in a questionnaire.

Incorporating an automated threat exposure assessment capability and integrating it with questionnaires can reduce the time to review vendors, and we've found that the combination can reduce the time to assess and onboard new vendors by 33%.

Step 2 – Use a Questionnaire Exchange

Organizations that manage many questionnaires, or vendors that respond to many questionnaires, should consider using a questionnaire exchange. Simply stated, it's a hosted repository of completed standard or custom questionnaires that can be shared with other interested parties upon approval.

If you select a platform that performs the automation described above, both parties get a verified and automated approach to the most recent questionnaires that are auto-validated by continuous assessments. Again, this can save your team time by requesting access to existing questionnaires or scaling their time in the response of a new questionnaire that can be reused upon request.

Step 3 - Continuously combine threat exposure findings with the questionnaire exchange

Security ratings alone don't work. Using questionnaires alone to assess third parties doesn't work. Threat exposure management, which incorporates accurate security ratings from the direct assessments, combined with validated questionnaires - where the questionnaire is querying the assessment and updating the security rating - provides you with a powerful solution for continuous Third-Party Risk Management. Platforms that use active and passive assessments, and don't solely rely on historical OSINT data, provide the most accurate attack surface visibility – since it's of a third-party at that time.

This information can be leveraged to auto-validate the applicable controls in the questionnaire for security and compliance framework requirements and flag any discrepancy between the client answer and the technology assessment finding. This gives organizations a real "trust but verify" approach toward third-party reviews. Since this can be done quickly, you can be notified when third parties become non-compliant with specific technical controls.

Organizations looking to maximize the efficiency of their third-party cyber risk management program should look to add automation to their processes. In more difficult macro-economic environments companies can turn to automation to reduce the toil that their team performs, while still achieving progress and results, in exchange for team members being able to focus on other initiatives.

Note: Victor Gamra, CISSP, a former CISO, has authored and provided this article. He is also the Founder and CEO of FortifyData, an industry-leading Continuous Threat Exposure Management (CTEM) firm. FortifyData empowers businesses to manage cyber risk at the organizational level by incorporating automated attack surface assessments, asset classification, risk-based vulnerability management, security ratings, and third-party risk management into an all-in-one cyber risk management platform. To learn more, please visit

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter and LinkedIn to read more exclusive content we post.