Expanding the view of third-party risks in the extended enterprise

The extended enterprise shaping modern organizations today is an exceedingly complex ecosystem. It is an interconnected web of relationships where multiple vendors and stakeholders interact and transact across business and geographical boundaries. In this realm, it can be very daunting to ensure accountability, security, and alignment. A security breach here is a Chief Information Security Officer’s (CISO) worst nightmare.

Third party risks have become prominent enough to be more than mere procurement department issues, having a residual effect across the business in the form of supply chain issues, business interruptions, or extended cyber risks. Take, for example, the ransomware attack on Apple last year through its supplier partner Quanta. Hackers were able to access product schematics ahead of the company’s product announcement by taking advantage of the mutual access to information granted between the company and its supplier partner.

In an extended enterprise, the level of risk and responsibility takes on a whole new level as businesses grant outsiders access to sensitive and confidential information. A study by Forrester indicated that 60 percent of security incidents in 2022 would be connected directly with third-party involvement.

Cyber attackers are ruthlessly targeting vendors and suppliers to gain access to industry leaders through the extended enterprise. Organizations need to manage the risks associated not just with their vendors but also with their vendors’ third parties, that is, the fourth parties.

A report by Gartner suggests that more than 60 percent of businesses are working with over 1,000 third parties. The report also suggests that in some cases this may be a low estimate given how the business's ecosystems are growing and expanding.

As intimidating as the environment may be, companies can turn this challenge into a competitive advantage. To do this, they would need to expand their view on their threat matrix. Consider the following to shore up your third-party risk posture:

Invest in automating systems by leveraging AI-enabled solutions

Companies should consider investing in an AI-supported risk platform that manages risk holistically. And that includes third-party supplier risk. Such platforms help provide a single reference point for multiple tasks like identifying, assessing, and mitigating risks, tracking multiple IT supplier risks, and vendor compliance management. Traditional ticketing systems or manual processes just won’t cut it. Look for a platform designed to link third parties and their vendors (fourth parties) to a spectrum of risks so you are no longer at the mercy of disparate data across the enterprise. These should include reputational, financial, cyber risks, and environmental, compliance across the supplier life cycle. This will enable CISOs to assess and monitor risk from onboarding through offboarding. It should be able to monitor risks on a real-time basis across the vendor spectrum and send alerts immediately.

Start quantifying risks

Surveys have suggested that the majority of company leaders felt their third-party risk management systems are not able to rank or define levels of risk. While it may not be possible to directly link levels of risk to the cause of the breach, quantifying them can help improve the business's defenses against unseen threats. Quantification works better to tighten a security engine than qualitative descriptions. Companies can use insights on risk, performance, compliance, and issues to improve third-party negotiations and also speed up the onboarding of new suppliers. Business leaders can use the information to prioritize IT assets protection.

By assessing the impact of risk in dollar value organizations can prioritize the risks and investments accordingly. Companies can use this information to answer key questions like how much is the total risk in dollars or how much more is the top risk than the second one? Risk quantification helps organizations to know where to invest and, how much investment is good enough. Businesses can plan how to smartly utilize resources by aligning security to stakeholders without duplicating technical capabilities and by investing in the right technologies at the right time. Risk can be quantified using various risk models that measure exposure. However, teams across the enterprise need to collaborate, share data and agree on the risk taxonomy to be able to analyze it.

Improve agility

Companies should consider investing in systems that improve agility. An integrated management system can help teams speed up vendor registration processes enabling fast onboarding. Systems that allow a simplified due diligence process with pre-defined questionnaires to assess vendor risks can improve agility. Companies should also ensure they equip front-line employees with user-friendly tools, processes, and training that will help them flag or report risks on a real-time basis. An agile system that is pervasive across the enterprise helps make quick adjustments in the event of a crisis response.

Turn risk into a strategic advantage

If done right, businesses can gain a competitive edge by turning risk into an advantage. While it may seem overwhelming at first glance, managing the threat complexities associated with an extended enterprise is possible with systems that automate, monitor, predict and quantify risks. If leveraged, businesses can gain an advantage over their competitors simply by being able to predict risks better, speeding up due diligence processes, taking calculated risks, and being more agile.

Author: Shankar Bhaskaran – Managing Director - India, MetricStream