Skip to main content

Managing Third-Party Risk

June 04, 2014

Today, most organizations are outsourcing critical business operations to third parties. While internal business activities present a level of risk, third-party relationships can significantly increase the level of risk an organization is facing. The quantity, cost and difficulty of performing due diligence on third parties makes managing third-party risk especially challenging. Earlier today we published a white paper on this topic, which lays out the five steps to managing third-party risk. You can read the full paper here.

Third-party security breaches can cost organizations hundreds of millions of dollars and be devastating to the business. Reputational harm and litigation can take years to overcome. These risks are impacting organizations daily; however, many companies rely on hundreds or thousands of outside third parties to make their business succeed. The sheer volume of these relationships creates a complex ecosystem among internal parties, and between the organization and the third parties themselves.

To remain competitive, organizations must balance risk management against the cost of mitigating third-party risk. Several key steps to building a successful program to manage third-party risk include:

1. Assigning third-party risk ownership to the appropriate department or external group.
2. Providing sufficient resources for and prioritizing third-party risk management.
3. Understanding the fundamentals of information risk management.
4. Implementing a five-step process for managing third-party risk.

Don’t allow your organization to be devastated by a security breach at a third party. Doing nothing is not an option. Perform the proper level of due diligence to protect your company from being a victim of a third-party breach and the resulting litigation. Recent breaches and other security events highlighted the necessity of implementing a third-party risk management program. Done properly companies can find the balance between risk and cost—freeing up your organization to focus on its objectives and growth.

In my next blog post, I will discuss measuring inherent risk (the exposure from a third-party relationship) and how to categorized that into a risk tier, so you can perform the right level of due diligence for the third party.

Related Blogs

June 10, 2014

Reviewing Third-Party Security Controls

In our last blog post, we discussed how to secure your house against theft—that is, how to protect your organization against third-party risks. Luckil...

See Details

June 12, 2014

Common Failures of Third-Party Risk Assessments

Third-party risk analysis – whether used to evaluate partners, service providers or suppliers – is a necessity in today’s business landscape. Assessin...

See Details

July 28, 2017

DEF CON is Here: A Reminder to Manage and Remediate Security Vulnerabilities of Your Third Parties

Every year I like to take a look at the talks at Black Hat and DEFCON to see if there are areas of risk I need to review. This year, like others, has ...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.

Privacy Policy

Related Insights

June 04, 2014

Managing Third-Party Risk

Today, most organizations are outsourcing critical business operations to third parties. While internal business activities present a level of risk, t...

See Details

May 30, 2019

Risk Management and Transformation: Third-Party Risk Management

Learn how to plan, develop and manage your third-party risk program.

See Details

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.


Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cyber security Events in your area.