As organizations outsource more and more functions to stay business competitive and to keep up with technological trends, third party portfolios are ballooning. Accordingly, for Third-Party Cybersecurity Risk Management programs to function in a sustainable way, they are finding it imperative to prioritize their focus. Only third parties which pose the most significant inherent risk, defined in an increasingly specific way to identify those which represent the highest negative impact potential, can be selected for manual assurance methods and techniques.
While this prioritization is a clear necessity, in practice organizations are finding that as an unintended consequence, their ‘Low’ risk third parties are riskier than they have been in the past. Until relatively recently, it was sustainable to only consider third parties as representing ‘Low’ cyber risk if their services involved no exchange or processing of organizational data. As data exchange and network connectivity have increasingly become the norm, this binary approach has become infeasible and there are now significant numbers of ‘Low’ risk third parties which do pose material cyber risk…
