Published on the 07/03/2025 | Written by Heather Wright
Our TPCM is failing, here’s why, and how to fix it…
Christine Lee has some bad news for Australian and Kiwi cybersecurity leaders: Our third party cyber risk management is rubbish.
The likes of the SolarWinds and MoveIt hacks have pushed third-party cyber risk management into the consciousness of boards and wider c-suite members, but the Gartner VP of research and content leader for the research company’s cybersecurity research team is clear that what companies are doing in the space leaves a lot to be desired.
“What we are doing is sub-optimal. It leaves a lot of room for improvement.”
And she’s got figures (albeit slightly old, dating from 2023) to back it up: A survey of 376 global organisations showed the majority were increasing their investments in third-party cyber risk (TPCR) management, increasing the budgets, resources and staffing and deployment of tools and automation efforts.
But at the same time, the 45 percent of organisations say TPCR incidents are increasing.
“We are spending tonnes of investment, but we can’t keep up because those incidents are increasing,” Lee told iStart.
“That indicates what we are doing is sub-optimal. It leaves a lot of room for improvement.”
She says that sub-optimal status is not really a surprise. When you look at what most companies are doing, they’re taking a ‘questionnaire-led, due diligence-led approach’ to understanding the cybersecurity posture of every organisation they do business with.
“Ultimately we all have limited resources and people tend to do that as a one-time thing and then don’t think about third-party risk for a year.
“This approach is not ideal. Some might say it is ulcer inducing.”
It’s a resource intensive, highly manual, bureaucratic approach to ‘one of the most challenging mandates’ cyber security teams face and it’s one that raises the question of how much management is actually being done.
“If we are honest, we can say we manage the hell out of third parties, we manage third party processes, but we’re not really managing TPCR if by that we mean reducing the occurrence and impact of third-party related disruptions.”
And because its not necessarily tied to outcomes, the current approach by many is just not effective, she says.
Lee says it’s time to flip things and shift to an outcome-led approach – one that veers away from a focus on customised due diligence, and brings in the business to do their part in the process.
“We tend to focus a lot on process and activity, but those things aren’t necessarily tied to outcomes, which is a huge problem because then we just end up checking the box and doing mindless, bureaucratic paperwork – and no one is acting on any of that wonderful intel.
“Everything really needs to be connected to actionable outcomes, and if you don’t control those outcomes – and a lot of them you don’t, the business does – then organisational sponsors are so important, and you need to make sure you are investing in educating the business, socialising their responsibilities and collaborating with them so they have good will and an understanding of why it is in their interests to co-manage that risk with you.”
Effective TPCRM programs, according to Gartner, focus on three key outcomes:
– Risk management and resilience – which includes cybersecurity’s ability to implement third-party controls, and detect and contain the impact of third-party incidents
– Influencing business decision making – including third-party contracting decisions and the escalation of risk acceptance decisions to a risk-steering committee, and
– Resource efficiency – ensuring TPCRM operations are commensurate with the level of cybersecurity risk, scalable and conducted at a speed that business partners find satisfactory.
There is a massive upside to increasing your effectiveness on those outcomes, she says, noting that the upside isn’t just about security.
Top performers are 2.6 times more likely to avoid third-party related incidents and 2.1 times ore likely to minimise the impact of those incidents when they do occur – but they’re also more likely to be ahead of peers in digital transformation initiatives, whether that’s measured as speed or value derived.
To get the resilience driven, resource optimised program Lee advocates three basic principles which regression analysis suggests drives the collective set of outcomes.
The first is getting business, or organisational sponsor accountability.
Forty percent of organisations surveyed by Gartner admit that their business or organisational sponsors accept risk outside of the enterprise risk tolerance.
Lee says too often cybersecurity tries to take on all the cyber work believing others don’t understand risk or what to do.
“That’s actually misguided because through the entire third-party lifecycle there are dozens of activities and cybersecurity can’t reasonably do them all. Nor should it, because a lot of those things are the comparative advantage of the business – things like conducting business criticality assessments or business impact assessments to understand what the critical assets are, what critical business processes are, which third parties are genuinely critical. Cybersecurity is not necessarily going to be the best party to do that.”
She urges cybersecurity leaders to insist on the business taking certain responsibilities, clarifying those expectations, codifying them and then socialising them throughout the lifecycle.
“It’s actually their relationships and their risk.
“Yes, do some education, some training, as much as it takes to ensure the business does these things competently, but don’t take over. Over time you need ot build the capacity and competency to co-manage risk together or you will end up with shadow third-party problems and you’re never going to have enough resources to manage the increasing supplier networks we’re dealing with.”
She uses the example of German energy company RWE which has a TRCRM policy built around a clear division of labour. Cyber evaluates risk, oversees monitoring and risk mitigation strategy, but the business is responsible for specific activities like conducting a business criticality assessment, getting attestations, serving as the main point of contact with the third-party throughout the lifecycle, including liaising on emerging threats and controls which need to be implemented.
“The pitch to the business is that you can go faster and more confidently if we abide by the principle of comparative advantage – let the business use its expertise on business criticality to triage the third parties that cyber needs to assess and monitor.”
Second up is having resilience-based practices, such as formal contingency plans for third parties when things go awry, and incident response plans and procedures such as playbooks and tabletop exercises.
Lee says too much time is focused on prevention, with a relative underinvestment in response and recovery. In particular, she says companies often fail to include third parties in their business continuity plans and testing, but Gartner research shows organisations that invest in resilience focused activities can see an improvement in TPCRM effectiveness of over 40 percent.
“And note, I didn’t say customising your due diligence questionnaires or monitoring your third parties with an SRS, because our research shows those things don’t drive high impact.”
In fact, the research showed the most effective thing you could do around due diligence is to optimise by efficiency by standardising questionnaires and automating.
Many are already experimenting with GenAI, using it to ingest third-party artefacts and spit out pre-reads of reports, enabling analysts to focus on higher value tasks.
Two activities which do drive high impact are formal third-party contingency planning and third-party incident response planning, each of which saw a 42-43 percent improvement in effectiveness.
Rounding out the three principles is cultivating strategic partnerships with critical third parties – something that also saw a potential 42 percent improvement in TPCRM outcomes.
“This might sound really resource intensive, but there is a quick thing you can do, starting now, which is relatively low lift, and that is to share your incident response playbooks, toolkits, BCPs – give those away to your third parties,” she says.
Giving your good stuff away is how we strengthen our collective security posture against the threat actors.”
