Using Risk 360 To Assess Third Party Risk
3rd October 2023
Benjamin WoottonIn a previous blog post we introduced Risk 360, our new digital platform which we use to support the cyber remediation journey.
We wanted to spend some time explaining how we use the platform to reduce third party risks.
Organisations typically have a number of technology suppliers across realms including infrastructure, software, networks and data.
If these suppliers have poor information security practices, then they represent risk to your business. They could allow access into your systems, misuse your data, or even result in compliance breaches for you.
Many information security professionals will use a rigid and outdated third party diligence form which they send to their vendors to understand their security practices, but these fall short in multiple ways:
- The supplier will always tell you what you want to hear
- They are only ran once at the start of the relationship and rarely revisited
- They will often be filed away and not properly and critically risk assessed
We had more ambitious aims. We wanted to bring third party risk assessment onto a collaborative platform where it could be completed in partnership with the client and the vendors. We wanted to turn it into a continuous process where we continue to engage with the vendor to understand their current practices today and not just at the start of the relationship. And we wanted to apply automation to those assessments to identify risks that exist in the third party supplier network.
Finally, we wanted to break new ground and bring third party risk into our risk scoring models. If our organisaiton is secure, but our suppliers are not, then our organisation is ultimately at significant risk. Third party risk cannot be an afterthought and needs to be surfaced to all relevant stakeholders prior to remediation.
If your business works with a network of third party suppliers, please reach out to us for a demonstration of how Risk 360 can support better visibility of their security capabilities and information security risks.