TMCnet News
RiskRecon Publishes Industry's Most Revealing Look at How Companies Manage Escalating Third-Party Cyber RiskRiskRecon, a rapidly-growing company transforming management of third-party cyber risk, today published the inaugural Third-Party Security Risk Management Playbook. Based on in-depth interviews with security executives from 30 participating organizations across multiple industries, the Playbook reveals how companies are managing the security risks of their complex digital supply chains and sensitive business partnerships. The study identified 14 vendor-neutral capability sets comprising 72 common, emerging, and pioneering practices that firms have implemented to manage third-party security risk. As a study of real-world third-party risk management programs, the Playbook is a valuable tool executives can use to benchmark their own programs and gain insight into pioneering practices other firms are adopting. The Playbook is a free download available here: https://www.thirdpartyplaybook.com Key findings include:
Brian Johnson (News - Alert), a CISO consultant and a former CISO of LendingClub, said, "CISOs know that effective third-party security risk management is essential for protecting their enterprise, yet many lack the data necessary to appropriately understand and prioritize third-party risk exposure. The best thinking on solving risk lies within industry, where practitioners are solving real enterprise risk problems every day. The Playbook captures these practices, providing a resource that risk managers can reference in enhancing their programs." The capability sets and practices described in the Playbook span three domains: Program Management, Risk Assessment, and Monitoring & Response. The Playbook shows the percentage adoption rate of each practice so that readers can quickly identify practices that are common versus pioneering. The pioneering practices, which have a less than 25 percent adoption rate, largely involve capabilities leveraging objective data to better assess and manage third-party risk performance. "Traditional methods of assessing vendor risk performance using questionnaires reveal the investments companies have made in managing risk. The pioneering use of objective data reveals how well companies implement and operate their security risk management program," said Kelly White. The Playbook authors discovered the initial third-party security risk management framework through roundtable discussions conducted with risk executives throughout the U.S. and the U.K. The authors then used this framework to conduct detailed interviews of executive owners of third-party risk management programs to arrive at the final Playbook. RiskRecon's objective for the Playbook is to provide practitioners a guide for building and operating their own third-party risk management programs, founded on the community of capabilities and practices developed by their peers. Readers interested in contributing insights and data to the next edition of the Playbook can contact [email protected].
Join The Playbook Discussion:
Follow RiskRecon: About RiskRecon RiskRecon's continuous monitoring solution delivers risk-prioritized action plans that enable precise, efficient elimination of your most critical third-party security gaps. Our data-driven SaaS (News - Alert) service relies on passive, direct analysis of Internet-facing systems to quantify risks and provide straightforward evidence necessary for remediation. Rather than producing a laundry list of issues, RiskRecon's custom analytics quantify true risk by determining each system's issue severity and asset value. Only RiskRecon enables you to build a scalable, third-party risk reduction program that compresses remediation cycle time, improves analyst productivity, and ensures constructive vendor collaboration. Learn more at www.riskrecon.com. View source version on businesswire.com: http://www.businesswire.com/news/home/20180221005680/en/ |