Vice President, Information Risk Management
James Christiansen is a seasoned business leader with deep technical expertise and is recognized as a global thought leader. As the vice president of information risk management and member of the Office of the CISO, Christiansen helps CXOs make executive decisions based on the balance of risk and cost. He is responsible for developing and delivering a comprehensive suite of strategic services and solutions to help CXO executives change their security strategies through innovation.
Managing Third-Party Risk
Today, most organizations are outsourcing critical business operations to third parties. While internal business activities present a level of risk, third-party relationships can significantly increase the level of risk an organization is facing. The quantity, cost and difficulty of performing due diligence on third parties makes managing third-party risk especially challenging. Earlier today we published a white paper on this topic, which lays out the five steps to managing third-party risk. You can read the full paper here.
Third-party security breaches can cost organizations hundreds of millions of dollars and be devastating to the business. Reputational harm and litigation can take years to overcome. These risks are impacting organizations daily; however, many companies rely on hundreds or thousands of outside third parties to make their business succeed. The sheer volume of these relationships creates a complex ecosystem among internal parties, and between the organization and the third parties themselves.
To remain competitive, organizations must balance risk management against the cost of mitigating third-party risk. Several key steps to building a successful program to manage third-party risk include:
1. Assigning third-party risk ownership to the appropriate department or external group.
2. Providing sufficient resources for and prioritizing third-party risk management.
3. Understanding the fundamentals of information risk management.
4. Implementing a five-step process for managing third-party risk.
In my next blog post, I will discuss measuring inherent risk (the exposure from a third-party relationship) and how to categorized that into a risk tier, so you can perform the right level of due diligence for the third party.