Identify and Manage Security Risk Impacts on Your Organization
Know where the attacks are coming from so you know where to protect.
- More than any other time, our world is changing. As a result, organizations – and their vendors – need to be able to adapt their plans to accommodate risk on an unprecedented level.
- A new global change will impact your organization at any given time. Ensure that you monitor threats appropriately and that your plans are flexible enough to manage the inevitable consequences.
Our Advice
Critical Insight
- Identifying and managing a vendor’s potential security risk impacts on your organization requires multiple people in the organization across several functions. Those people all need coaching on the potential changes in the market and how these changes could introduce new risks.
- Organizational leadership is often taken unaware during crises, and their plans lack the flexibility needed to adjust to significant market upheavals and surprise incidents.
Impact and Result
- Vendor management practices educate organizations on the potential risks from vendors in your market and suggest creative and alternative ways to avoid and manage them.
- Prioritize and classify your vendors with quantifiable, standardized rankings.
- Prioritize focus on your high-risk vendors.
- Standardize your processes for identifying and monitoring vendor risks to manage potential impacts with our Security Risk Impact Tool.
Identify and Manage Security Risk Impacts on Your Organization
Know where the attacks are coming from so you know where to protect.
Analyst perspective
It is time to start looking at risk realistically and move away from “trust but verify” toward zero trust.
Frank Sewell,
Research Director, Vendor Management
Info-Tech Research Group
We are inundated with a barrage of news about security incidents on what seems like a daily basis. In such an environment, it is easy to forget that there are ways to help prevent such things from happening and that they have actual costs if we relax our diligence.
Most people are aware of defense strategies that help keep their organization safe from direct attack and inside threats. Likewise, they expect their trusted partners to perform the same diligence. Unfortunately, as more organizations use cloud service vendors, the risks with n-party vendors are increasing.
Over the last few years, we have learned the harsh lesson that downstream attacks affect more businesses than we ever expected as suppliers, manufacturers of base goods and materials, and rising transportation costs affect the global economy.
“Trust but verify” – while a good concept – should give way to the more effective zero-trust model in favor of knowing it’s not a matter of if an incident happens but when.
Executive Summary
|
Your Challenge More than any other time, our world is changing. As a result, organizations – and their vendors – need to be able to adapt their plans to accommodate risk on an unprecedented level. A new global change will impact your organization at any given time. Ensure that you monitor threats appropriately and that your plans are flexible enough to manage the inevitable consequences. |
Common Obstacles Identifying and managing a vendor’s potential security risk impacts on your organization requires multiple people in the organization across several functions. Those people all need coaching on the potential changes in the market and how these changes could introduce new risks. Organizational leadership is often taken unaware during crises, and their plans lack the flexibility needed to adjust to significant market upheavals and surprise incidents. |
Info-Tech’s Approach Vendor management practices educate organizations on the potential risks from vendors in your market and suggest creative and alternative ways to avoid and manage them. Prioritize and classify your vendors with quantifiable, standardized rankings. Prioritize focus on your high-risk vendors. Standardize your processes for identifying and monitoring vendor risks to manage potential impacts with our Security Risk Impact Tool. |
Info-Tech Insight
Organizations must evolve their security risk assessments to be more adaptive to respond to global changes in the market. Ongoing monitoring of third-party vendor risks and holding those vendors accountable throughout the vendor lifecycle are critical to preventing disastrous impacts.
Info-Tech’s multi-blueprint series on vendor risk assessment
There are many individual components of vendor risk beyond cybersecurity.
This series will focus on the individual components of vendor risk and how vendor management practices can facilitate organizations’ understanding of those risks.
Out of Scope:
This series will not tackle risk governance, determining overall risk tolerance and appetite, or quantifying inherent risk.
Security risk impacts
Potential losses to the organization due to security incidents
- In this blueprint we’ll explore security risks, particularly from third-party vendors, and their impacts.
- Identify potentially disruptive events to assess the overall impact on organizations and implement adaptive measures to correct security plans.
The world is constantly changing
The IT market is constantly reacting to global influences. By anticipating changes, leaders can set expectations and work with their vendors to accommodate them.
When the unexpected happens, being able to adapt quickly to new priorities ensures continued long-term business success.
Below are some things no one expected to happen in the last few years:
| 62% | 83% | 84% |
|---|---|---|
| Ransomware attacks spiked 62% globally (and 158% in North America alone). | 83% of companies increased organizational focus on third-party risk management in 2020. | In a 2020 survey, 84% of organizations reported having experienced a third-party incident in the last three years. |
| One Trust, 2022 | Help Net Security, 2021 | Deloitte, 2020 |
Identify and manage security risk impacts on your organization
Due diligence will enable successful outcomes.
What is third-party risk?
Third-Party Vendor: Anyone who provides goods or services to a company or individual in exchange for payment transacted with electronic instructions (Law Insider).
Third-Party Risk: The potential threat presented to organizations’ employee and customer data, financial information, and operations from the organization’s supply chain and other outside parties that provide products and/or services and have access to privileged systems (Awake Security).
It is essential to know not only who your vendors are but also who their vendors are (n-party vendors). Organizations often overlook that their vendors rely on others to support their business, and those layers can add risk to your organization.
Identify and manage security risks
Global Pandemic
Very few people could have predicted that a global pandemic would interrupt business on the scale experienced today. Organizations should look at their lessons learned and incorporate adaptable preparations into their security planning and ongoing monitoring moving forward.
Vendor Breaches
The IT market is an ever-shifting environment; more organizations are relying on cloud service vendors, staff augmentation, and other outside resources. Organizations should hold these vendors (and their downstream vendors) to the same levels of security and standards of conduct that they hold their internal resources.
Resource Shortages
A lack of resources is often overlooked, but it’s easily recognized as a reason for a security incident. All too often, companies are unwilling to dedicate resources to their vendors’ security risk assessment and ongoing monitoring needs. Only once an incident occurs do companies decide it is time to reprioritize.
About Info-Tech
Info-Tech Research Group is the world’s fastest-growing information technology research and advisory company, proudly serving over 30,000 IT professionals.
We produce unbiased and highly relevant research to help CIOs and IT leaders make strategic, timely, and well-informed decisions. We partner closely with IT teams to provide everything they need, from actionable tools to analyst guidance, ensuring they deliver measurable results for their organizations.
What Is a Blueprint?
A blueprint is designed to be a roadmap, containing a methodology and the tools and templates you need to solve your IT problems.
Each blueprint can be accompanied by a Guided Implementation that provides you access to our world-class analysts to help you get through the project.
Talk to an Analyst
Our analyst calls are focused on helping our members use the research we produce, and our experts will guide you to successful project completion.
Book an Analyst Call on This Topic
You can start as early as tomorrow morning. Our analysts will explain the process during your first call.
Get Advice From a Subject Matter Expert
Each call will focus on explaining the material and helping you to plan your project, interpret and analyze the results of each project step, and set the direction for your next project step.
Unlock Sample Research
Looking at Risk in a New Light: The Six Pillars of Vendor Risk Management
Manage Exponential Value Relationships
Jump Start Your Vendor Management Initiative
Capture and Market the ROI of Your VMO
Cut Cost Through Effective IT Category Planning
Design and Build an Effective Contract Lifecycle Management Process
Maximize Value From Your Value-Added Reseller (VAR)
Drive Successful Sourcing Outcomes With a Robust RFP Process
Reduce Risk With Rock-Solid Service-Level Agreements
Slash Spending by Optimizing Your Software Maintenance and Support
Identify and Manage Financial Risk Impacts on Your Organization
Identify and Manage Strategic Risk Impacts on Your Organization
Identify and Manage Reputational Risk Impacts on Your Organization
Identify and Manage Security Risk Impacts on Your Organization
Evaluate Your Vendor Account Team to Optimize Vendor Relations
Elevate Your Vendor Management Initiative
Prepare for Negotiations More Effectively
Implement Your Negotiation Strategy More Effectively
Evaluate and Learn From Your Negotiation Sessions More Effectively
Proactively Identify and Mitigate Vendor Risk
Master the Public Cloud IaaS Acquisition Models
Essentials of Vendor Management for Small Business
Identify and Manage Regulatory and Compliance Risk Impacts on Your Organization
Identify and Manage Operational Risk Impacts on Your Organization
Don’t Allow Software Licensing to Derail Your M&A
Identify and Reduce Agile Contract Risk
Improve Your Statements of Work to Hold Your Vendors Accountable
Understand Common IT Contract Provisions to Negotiate More Effectively
Master Contract Review and Negotiation for Software Agreements
Master the MSA for Your Managed Services Providers
Negotiate SaaS Agreements That Are Built to Last
Establish a Vendor Management Roadmap to Succeed With Autonomous Technologies
Price Benchmarking & Negotiation
Stop Wasting Time Evaluating Commoditized Products and Services