The risk of data loss and cyberattacks at the hands of third parties is changing the way businesses evaluate their suppliers and partners, according to a new study by Forrester Consulting conducted on behalf of BitSight. The study shows that as pressure from regulators and security frameworks ratchets up, enterprises are looking for better ways to institute third-party oversight while still keeping line-of-business objectives in mind.
"As such, there is significant appetite for monitoring various elements of third-party security, yet few firms have the resources to do so with adequate frequency or objectivity," Forrester reported.
Over one in five dollars spent in IT today are allocated for third-party suppliers, according to the report. That's equal to $270 billion spent annually in the US alone.
Security concerns for managing third-party risk outpace concerns about actually delivering the product they'd been hired to provide. The biggest concerns revolve around the risk of losing or exposing company data, for which 63 percent reported they'd be interested in tracking and managing, and the risk of cyberattack added by that supplier, for which 62 percent of organizations would be interested in tracking and managing. That's compared with just 55 percent of organizations seeking to track and manage how well the supplier can deliver the quality and timeliness of services as contracted.
"IT decision-makers aren’t just looking at the strategic value of their third-party relationships. In fact, they’re very interested in getting down to brass tacks," the report said.
This is not surprising given IT organizations' overall security objectives in the next 12 months. Approximately 79 percent of decision-makers reported that ensuring business partners and third-parties comply with the organization's security requirements is a top security priority. The only two higher priorities were achieving regulatory compliance and addressing existing threats and vulnerabilities, both of which could arguably be wrapped up in the third-party risk equation.
The study showed that the most valuable types of information for tracking third-party risk would be how well those parties manage threats and vulnerabilities, how secure their encryption policies and procedures are, and how effective their security incident response processes are.
However, the reality is that most organizations today are not tracking these and other security-related metrics with near the frequency that they would like to.
"Across the nine types of third-party information we surveyed IT security decision-makers on, an average of 59% indicated a desire to track and monitor," Forrester noted. "Yet across those same nine information types, an average of only 22% were tracking with monthly or greater frequency."