A Single Partner for Everything You Need With more than 450 technology partners in its ecosystem, Optiv provides clients with best-in-class security technology and solutions that equip organizations to detect and manage cyber threats effectively and efficiently in today's growing attack surface. Optiv's Partner of the Year Awards recognize forward-thinking innovation, performance and growth, and unparalleled technology solutions.
We Are Optiv Greatness is every team working toward a common goal. Winning in spite of cyber threats and overcoming challenges in spite of them. It’s building for a future that only you can create or simply coming home in time for dinner. However you define greatness, Optiv is in your corner. We manage cyber risk so you can secure your full potential.
Cybersecurity Capabilities for Maturing Your TPRM Programs Breadcrumb Home Insights Blog Cybersecurity Capabilities for Maturing Your TPRM Programs September 23, 2025 This blog is the second part in a three-part series on third-party risk management (TPRM). Find the first part here. Amid growing reliance on external vendors and digital supply chains, third-party relationships pose significant cybersecurity risks that organizations can no longer afford to overlook. A mature third-party risk management (TPRM) program demands robust cybersecurity capabilities that ensure continuous visibility, control and resilience across the supply chain. As threat actors increasingly target third-party vulnerabilities, meeting regulatory compliance requirements, integrating continuous monitoring and incident response preparedness have become critical. Optiv experts have delved into insights surrounding the essential cybersecurity components that underpin a mature and adaptive TPRM program. Cybersecurity Governance and Compliance Requirements along with Supporting Standards Strong governance structures are essential for organizations to ensure that their third-party vendors adhere to security, compliance and risk management standards. We see that 94% of vendors have a documented information security policy, indicating a broad commitment to establishing security protocols. However, only 19% of vendors have dedicated cybersecurity leadership, highlighting a potential gap in executive oversight and strategic security decision-making. Image While high policy adoption rates reflect vendors’ awareness of security best practices, the lack of dedicated cybersecurity leadership presents a critical area for improvement. Organizations should prioritize vendor governance assessments to ensure that security policies are backed by strong leadership, regular audits and a culture of risk accountability. Compliance with industry security standards is a key indicator of a vendor's commitment to cybersecurity, data protection and regulatory adherence. Image SOC 2 (40%) and ISO 27001 (31%) are the most widely adopted compliance frameworks among vendors, reflecting a strong emphasis on data security, availability and integrity. These standards are often prioritized due to their relevance in cloud security, enterprise IT risk management and customer trust. However, adoption rates for other critical frameworks remain significantly lower. Understanding and Categorizing Fourth-Party Relationships The number of third-party relationships has grown exponentially in recent years, partly due to the widespread transition to cloud-based as-a-service offerings. Organizations might not know who their fourth parties are and what role they have in the service chain. This lack of knowledge results in organizations not being able to discover and remediate associated risks in a timely manner. Modern supply chains are increasingly reliant on third-party vendors, who in turn depend on multiple service providers for critical operations. Approximately 40% of vendors utilize cloud technologies such as Azure, AWS and GCP to store and manage customer data. This widespread adoption reflects the growing preference for cloud platforms, which offer scalability, reliability and advanced data analytics capabilities. By leveraging these technologies, vendors can enhance operational efficiency, reduce costs and bolster data security. Image Cloud hosting and data backup services are the most utilized third-party offerings, both accounting for 49% of the total services adopted. This emphasis underscores the critical need to ensure business continuity and manage large data volumes effectively. An effective strategy to manage fourth-party risks would involve ongoing monitoring. Periodic reassessment of fourth parties that handle sensitive data and are critical to business operations helps in securing the enterprise against supply chain disruptions. Adoption of Access Management Controls across Vendors Access management encompasses multiple layers of security controls, each serving a distinct role in protecting organizations from unauthorized access, credential compromise and insider threats. The adoption rates of privileged access management (PAM) and enterprise-wide multifactor authentication (MFA)/single sign-on (SSO) control reflect how organizations prioritize different aspects of identity and access security. Image Among these measures, enterprise-wide MFA/SSO solutions have a better adoption rate, indicating a strong emphasis on authentication and identity verification. Vendors recognize the increasing risks associated with password-based attacks, phishing and credential stuffing and are implementing MFA as a critical safeguard. Privileged access management has the lower adoption rate, signaling a potential gap in securing high-risk accounts and administrative privileges. PAM is essential for restricting access to critical systems, reducing insider threats and preventing privilege escalation attacks, yet its lower implementation rate suggests that many organizations still rely on broad access controls rather than granular privilege management. This gap presents a security concern, as compromised privileged credentials can lead to severe data breaches, operational disruptions and regulatory non-compliance. Incident Response Implementation and Industry Adoption Security leaders must implement a clear incident response (IR) plan to effectively address supply chain threats. In today’s interconnected environment, identifying impacted third parties during a cyberattack is critical to managing a coordinated response and ensuring operational continuity. A formal IR plan minimizes risks and helps organizations quickly recover from potential disruptions. Image Modern supply chains are particularly vulnerable to cyber incidents. Attacks targeting a single vendor can ripple across the ecosystem, causing financial losses, operational delays and reputational harm. Recent high-profile breaches highlight how adversaries exploit vendor weaknesses to infiltrate multiple organizations, underscoring the importance of proactive preparedness. The healthcare industry, while heavily targeted due to its sensitive patient data, remains underprepared. Only 6% of vendors have an IR plan, leaving the majority vulnerable to threats like ransomware and phishing. This lack of preparedness strains cybersecurity teams and highlights the urgent need for comprehensive response strategies in the sector. The industrials sector shows progress, with 16% of vendors adopting IR plans. This reflects growing awareness of cybersecurity risks, though continuous improvement is necessary to address evolving threats. In contrast, the consumers industry demonstrates significant vulnerability, with just 4% of vendors equipped with an IR plan, emphasizing a critical gap in preparedness. The financials sector at 28% fares better, implementing IR plans, though gaps remain in ensuring comprehensive protection. The technology and communications industry leads in preparedness, with 46% of vendors having IR plans, showcasing strong capabilities to mitigate supply chain risks effectively. While some industries demonstrate progress, others lag considerably in their cybersecurity readiness. Broader adoption of IR plans across all sectors is essential to build resilient supply chains capable of withstanding future threats. Discover how your organization can insure incident readiness and response by reaching out to our experts. By: Pradeep Sekar Director, Cyber Strategy & Transformation | Optiv Pradeep Sekar, Senior Director at Optiv, is a seasoned cybersecurity who has worked closely with and guided Fortune 100 and Fortune 500 Chief Information Security Officers (CISOs), Chief Information Officers (CIOs) and their teams across various industries to develop and sustain secure, adaptive and robust cybersecurity programs. By: Bhargav Chopra Associate Consultant, Cyber Strategy and Risk Management Bhargav Chopra is a cyber strategy and risk consultant with experience in supporting organizations in technology, healthcare and finance. He specializes in third-party risk management, vendor risk oversight and compliance readiness, aligning with industry standards and regulatory frameworks. By: Rucha Revdekar Consultant, Cyber Strategy and Risk Management Rucha Revdekar is a cybersecurity professional with 3+ years of experience in vendor management and third-party risk practices. Her expertise lies in evaluating vendor security posture, preparing actionable roadmaps that support smarter decision-making, by enabling organizations to manage third-party relationships with greater confidence and trust. By: Bharath Menon Associate Consultant, Cyber Strategy and Risk Management Bharath Menon is a cybersecurity risk consultant with expertise in the strategy and third party risk management, assisting organizations in improving their overall cybersecurity program. Share: Third-Party Risk Management