Skip to main content

Managing Third-Party Risk

June 04, 2014

Today, most organizations are outsourcing critical business operations to third parties. While internal business activities present a level of risk, third-party relationships can significantly increase the level of risk an organization is facing. The quantity, cost and difficulty of performing due diligence on third parties makes managing third-party risk especially challenging. Earlier today we published a white paper on this topic, which lays out the five steps to managing third-party risk. You can read the full paper here.

Third-party security breaches can cost organizations hundreds of millions of dollars and be devastating to the business. Reputational harm and litigation can take years to overcome. These risks are impacting organizations daily; however, many companies rely on hundreds or thousands of outside third parties to make their business succeed. The sheer volume of these relationships creates a complex ecosystem among internal parties, and between the organization and the third parties themselves.

To remain competitive, organizations must balance risk management against the cost of mitigating third-party risk. Several key steps to building a successful program to manage third-party risk include:

1. Assigning third-party risk ownership to the appropriate department or external group.
2. Providing sufficient resources for and prioritizing third-party risk management.
3. Understanding the fundamentals of information risk management.
4. Implementing a five-step process for managing third-party risk.

Don’t allow your organization to be devastated by a security breach at a third party. Doing nothing is not an option. Perform the proper level of due diligence to protect your company from being a victim of a third-party breach and the resulting litigation. Recent breaches and other security events highlighted the necessity of implementing a third-party risk management program. Done properly companies can find the balance between risk and cost—freeing up your organization to focus on its objectives and growth.

In my next blog post, I will discuss measuring inherent risk (the exposure from a third-party relationship) and how to categorized that into a risk tier, so you can perform the right level of due diligence for the third party.

Related Blogs

May 29, 2014

The Evolution of Security Strategies

In my last blog post, I discussed how the role of the Chief Information Security Officer (CISO) has evolved into the Chief Information Risk Officer (C...

See Details

June 10, 2014

Reviewing Third-Party Security Controls

In our last blog post, we discussed how to secure your house against theft—that is, how to protect your organization against third-party risks. Luckil...

See Details

January 27, 2015

Offense Wins Games... Defense Wins Championships: Tips to Build Your Security Game Plan

Avid sports fans from around the country are eagerly awaiting the much anticipated Super Bowl match-up between the New England Patriots and the Seattl...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.

Privacy Policy

Related Insights

June 04, 2014

Managing Third-Party Risk

Today, most organizations are outsourcing critical business operations to third parties. While internal business activities present a level of risk, t...

See Details

November 12, 2014

Empowering the CISO

A security-focused business culture can empower the CISO to effectively perform their job, and allow them to become a respected member of the “C” leve...

See Details

May 30, 2019

Risk Management and Transformation: Third-Party Risk Management

Learn how to plan, develop and manage your third-party risk program.

See Details

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.


Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cyber security Events in your area.