PART ONE:

IDENTIFICATION

BEFORE:

Lengthy internal conversations and a lack of focus

AFTER:

Orderly processes for identifying which vulnerable third parties pose the most significant risk to your organization

To start the remediation process for a pressing third-party threat, teams must compile a list of companies affected by the issue(s). They need to understand which third parties within their organization are:

A.) Particularly vulnerable to the event in question, and...

B.) Pose a significant risk to the business because of their role in day-to-day operations.

TRANSFORMING THE IDENTIFICATION PROCESS

THE OLD WAY:

  1. Most organizations today take days, weeks, or longer, to identify which third parties have been affected by a new threat.
  2. Teams must compile this information by contacting internal departments and requesting third party information.
  3. If they don’t have an automated system in place, these teams must manually compile their findings and then export the data.
  4. Finally, the team must create an outreach list in a spreadsheet, email, or GRC platform.

WHY IS THIS INEFFECTIVE?

This process is very time-consuming, requiring security teams to identify all third parties affected by a particular threat and then triage them based on business function. The more third parties the organization has or the more widespread the event, the more challenging this process can be. Sometimes, it’s impossible, especially if the information for understanding risk and triaging third parties isn’t readily available. If this is the case, the organization must reach out to all third parties.

THE NEW WAY: STREAMLINING IDENTIFICATION

Ultimately, it shouldn’t take much time to identify which third parties were impacted by a threat and triage them by business risk. This process should be automated, orderly, and scalable, not a wild goose chase whenever there’s a pressing security event. Here are a few strategies for streamlining the process:

1. ) PREPARE BEFORE ANYTHING EVEN HAPPENS

Before a significant event hits your ecosystem and your team is frantically searching for answers, prepare for possible situations with a solid business continuity management (BCM) plan, business impact analysis (BIAs), and scenario planning. Then, when something does happen, you can easily reference these documents and understand how a particular third party’s outage or security event would affect your business. It provides more focus to the process of identifying and triaging which third parties to contact first.

2.) USE MORE THIRD PARTY RISK MANAGEMENT AUTOMATION

Third-party risk management tools with automation features can help you identify affected third parties and consolidate valuable information into a single location. For instance, some teams lean on automation to parse through documents submitted by third parties, such as existing questionnaires and SOC2 reports, and map it to their compliance frameworks to understand where any gaps are.

3.) DON'T GET BOGGED DOWN BY THE IDENTIFICATION STAGE

Find ways to streamline your third party identification process, such as communicating about all third-party risk efforts in a single place versus over a combination of spreadsheets, team chats, emails, etc. Then, your team can quickly move on to the most important part of the process: talking to the third parties and working with them to remediate issues.

NOW, LET'S SEE HOW TO IMPROVE OUTREACH

NEXT PAGE →