Every Solution You Can Imagine – and More
What cybersecurity solution do you need? From Zero Trust to ADR, IAM, risk/privacy, data protection, AppSec and threat, securing digital transformation, to resiliency and remediation, we can build the right program to help solve your challenges.
A Single Partner for Everything You Need
Optiv works with more than 400 world-class security technology partners. By putting you at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can.
We Are Optiv
Greatness is every team working toward a common goal. Winning in spite of cyber threats and overcoming challenges in spite of them. It’s building for a future that only you can create or simply coming home in time for dinner.
However you define greatness, Optiv is in your corner. We manage cyber risk so you can secure your full potential.
January 20, 2022
Part two in a series.
Third-party risk management solutions aren’t a one-department solution anymore. There’s no one-size-fits-all approach and it’s vital that organizations recognize how effective TPRM extends beyond a simple consideration of each third party by the procurement department. Managing third-party risk that may impact an organization’s data or information necessarily includes the whole company.
Organizations with a mature TPRM program may have a third-party risk or vendor management team, but many organizations do not. Therefore, there is little commonality of job titles and departments that “own” third-party risk. They may include:
This list isn’t exhaustive; however, the diverse variety of titles and departments show who some organizations engage with when managing their third parties and third-party risk. As organizations and the number of third parties they work with grow, the necessity of working with and across functional areas/boundaries increases. Eventually, most areas of management within an organization will be involved in some form or other during the TPRM lifecycle.
There are multiple versions of the TPRM lifecycle, but one that has proven successful over many years can still be applied today: the US Office of the Comptroller of the Currency TPRM Lifecycle (OCC Bulletin 2013-29 - published in October 2013.) Although originally developed to assist banks in practicing effective risk management (regardless of whether an activity is internal or third-party) the basic principles still apply to most organizations, with only a few enhancements required to address business data.
Today, instead of using the original five-step lifecycle, Optiv adds a sixth stage to specifically call out the need for off-boarding a vendor should their contract not be renewed. This step was contained in the termination phase of the OCC model but was often overlooked. Today, because of newer privacy and data protection laws, formal off-boarding of a third party with access to your data or your customer data can no longer be omitted.
Organizations often ask versions of the following questions:
Adoption of a TPRM lifecycle approach benefits an organization because it formalizes an often-complex set of interdependent third-party management processes. Typically, these processes engage with multiple third parties that provide ongoing services or services portfolios. Assuming current outsourcing trends continue, the number of third parties contracted to a given organization will increase, and there are no signs of this trend slowing.
The formalized TPRM lifecycle enables an organization’s management to:
These tasks are difficult enough even with a formalized program based on a TPRM lifecycle. If you don't use such a lifecycle, you typically won't have auditable processes to check if these tasks are being done. Imagine what your organization may be missing and what risks you may be exposed to that you don't know about.
From this brief description of the TPRM lifecycle and the scope of activities it involves, it should be clear that an organization cannot simply assign management of third parties with access to your data to a single team or person. It requires a wide spectrum of skills, knowledge and procedures supported by enterprise-wide policies for use of third parties if it’s to work securely and effectively. This doesn't necessarily mean full-time involvement for all stakeholders involved in the TPRM program: a fully dedicated core team to keep processes running smoothly can be augmented by a virtual team that’s called on to perform specific tasks.
Depending on the number of third parties employed by an organization, one of the most intensive functions in the TPRM lifecycle is the due-diligence phase of selecting third parties, which is essential for assessing their capabilities and security. Many companies only consider the immediate third-party organization itself. But, just like your organization, they probably use third parties, too. Careful consideration should be given to how a potential security issue facing their providers might affect your organization. Knowing about these issues is paramount.
Just think about what would happen if a third party linked to your third party were targeted by a ransomware attack. This could potentially affect your third party. Could it threaten your organization too?
Optiv recommends a lifecycle approach to TPRM, which includes the appropriate teams across procurement, vendor management, compliance, risk, security and legal. Team composition depends on the organization, but the lifecycle has been proven to work and collaboration is key.
Optiv Security: Secure greatness.™
Optiv is the cyber advisory and solutions leader, delivering strategic and technical expertise to more than 7,000 companies across every major industry. We partner with organizations to advise, deploy and operate complete cybersecurity programs from strategy and managed security services to risk, integration and technology solutions. With clients at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can. At Optiv, we manage cyber risk so you can secure your full potential. For more information, visit www.optiv.com.
December 06, 2021
In this series, we explain the threats, issues and impacts associated with managing third-party organizations and discuss how best to minimize risk.
February 04, 2021
This post addresses key areas organizations should evaluate when reviewing or building out third-party risk management programs.
August 12, 2021
Optiv’s Third-Party Risk Management Services help you defend your extended ecosystem and mitigate cyber risk.
Let us know what you need, and we will have an Optiv professional contact you shortly.