Innovation in Compliance – Episode 248 – Third Party Risk Management Industry with Brad Hibbert – JD Supra | Region & Cash

Brad Hibbert is the Chief Strategy Officer and Chief Operations Officer at Prevalent Inc. and specializes in eliminating security and compliance risks associated with third-party vendors and suppliers. I welcome Brad back this week to examine and discuss a recently published study by Prevalent called The 2022 Third-Party Risk Management Industry Study.

Third Party Risk Management Industry Survey

Brad reveals that Prevalent Inc. has been working on the Third-Party Risk Management Survey for about three years. To gather data on the topic, they sent the survey to thousands of third-party risk management professionals who also have a background in security. As the results come in, they are categorized, analyzed and monitored for trends. I asked Brad for the overall rating of third-party risk management that he determined from the survey. “I think there’s certainly a growing awareness of third-party risk management within organizations and among corporate leadership teams,” Brad replied. He also noted that both IT and non-IT risks are major concerns for respondents.

Key observations on the current state of third-party management risk

I invite Brad to continue analyzing and discussing the key findings from the survey. These are the main observations:

1. “Organizations are paying more attention to non-IT security risks, but not enough,” Brad explains that programs involved in investigating IT threats are beginning to recognize non-IT threats as well. He says, “It’s not just about IT vendors anymore, so companies are trying to get a broader view of that broader supply chain of IT vendors and non-IT vendors, and they’re also trying to get a broader view of the types getting the risks they’re looking at.” Brad sees this as a positive trend in the third-party risk management industry.

2. “Third-party risk management could (finally!) become more strategic.” I know that IT pros and compliance pros understand the seriousness of third-party risk, but I wonder if higher-level executives see it the same way—this issue must be approached strategically. Brad explains that 31% of respondents said they were affected by a third-party data breach. These incidents will result in entire organizations raising awareness of third-party risk and taking it seriously. He notes, “People from security, procurement, contracts, legal, and compliance are trying to understand how to get a holistic view of these supplier risk concerns in order to manage them throughout the supplier lifecycle minimize.”

3. “Manual methods of third-party assessment persist, but dissatisfaction is high.” Unfortunately, most organizations are still fixated solely on their core IT vendors and security risks, believing they can use manual methods like email and spreadsheets. However, as your third-party risk management grows, you can no longer use these methods successfully because they “do not study the risks and do not efficiently address those risks with the vendors.”

4. “Organizations are concerned about increasingly malicious third-party security incidents, but use different tools to detect, investigate, and remediate exposures.” type of data breaches.” However, the number of successful security breaches during the pandemic suggests organizations are not using established tools to combat the threats.

5. “Organizations wait over two weeks for third-party incident resolution,” Brad explains, most organizations don’t have a process to respond to third-party security breaches in an emergency, so it takes organizations a while to identify the problem and respond to the incident Mediation to begin these risks.

6. “Third-party risk assessments are becoming increasingly complex and time-consuming.” Brad explains, “42% of respondents say they are audited annually for third parties, and when audited, respondents say it is between a week and a week It takes month to gather evidence to meet this regulatory check.” This data revealed that audits are costly and time-consuming as most organizations attempt to run grandiose third-party risk management programs on less-capable systems.

7. “The discipline of third-party risk management falters as vendor relationships evolve.” The survey found that as vendor relationships evolve, the power imbalance between the vendor and the enterprise changes, exposing all of the enterprise’s data and information to the vendor and increases the likelihood of data breaches. see less –

Leave a Comment