Companies must build a “trust and verify” strategy when it comes to managing third party risk. Requesting documentation about a supplier’s security performance is good – but how can you verify it? How can you continuously review performance? These are important issues facing organisations today. The bottom line is that organisations can follow every best practice in the cyber security book— but their third parties must follow through with the same security obligations so that the supply chain is protected from risk.
Companies must continuously assess and review the security posture and performance of all partners, in order to gain visibility in the changing threat landscape, and to prioritise risk-mitigating actions. As vendor ecosystems continue to expand, the importance of having the tools in place to analyse third, fourth and even fifth-party risk, has never been higher than it is today.
But where do you start?
A good approach is to tier your third parties based on criticality – prioritise your efforts with those who have access to the most sensitive data or are providing the most important services. To get immediate insight, leverage publicly available data…
