PART TWO:

OUTREACH

BEFORE:

Overwhelmed third parties and ignored customer concerns

AFTER:

Targeted conversations with third parties that provide concrete answers

Next, the team must strategically contact the third parties that pose the most risk to their organization. This process takes time, as the business must find the right contacts within the third parties’ teams and reach out to them with specific feedback.

TRANSFORMING THE OUTREACH PROCESS

THE OLD WAY:

Many businesses ask third parties scattershot questions to understand how they are exposed to the threat and what they’ve done to address them. These questions may look like:

“Do you have vulnerability management software in place?”

“What is your patching strategy?”

“Are you SOC 2 compliant?”

WHY IS THIS INEFFECTIVE?

They send these questions via email or a GRC platform. The next few days, or even weeks, then consist of a back-and-forth with the third parties to clarify various points. The team must also record all of this “data” within either a spreadsheet or a GRC platform.

Ultimately, most businesses that use these manual processes struggle to get helpful responses from third parties. This happens for a number of reasons:

  • First, it’s common for businesses to send vague and/or outdated information about the risks to the third party. The third party won’t know what to do with this data and might end up putting the concerns on the back burner as a result.
  • Third parties also tend to drag their feet when responding because they see a minimal cost-to-value ratio for resolving specific customer issues. Many legacy solutions for third-party risk management take weeks to update the scores. So, if a customer reaches out with concerns about the third party’s security rating service (SRS) score, the third party won’t be incentivized to make changes. Altogether, there aren’t any clear rewards for the third party’s efforts nor punishments for failure to act.
  • Lastly, a given third party has hundreds, if not thousands, of customers, making it impossible to respond to every question they receive. Many of these customers also expect the third parties to log into their specific GRC platform, see what’s wrong, and do something about it. That adds up to dozens of different platforms that the third parties are expected to check.

THE NEW WAY: STREAMLINING OUTREACH

The reality is that your third parties are just as busy responding to the security event as you are. So if you want concrete information about how they are responding, you will need to ask very targeted questions. Here are a few ways to do so.

1.) DITCH THE GENERIC QUESTIONS

Avoid sending vague questions or expectations to your third parties. Instead, aim to share targeted details about the risk and suggestions for concrete next steps.

2.) KEEP THE CONVERSATIONS CENTRALIZED

Facilitate a centralized location for all communications, especially since additional internal personnel will likely get brought on to facilitate the conversation. For instance, if the risk is related to marketing tech, then the marketing point of contact who first established the relationship would need to be involved.

3.) TRACK CHANGES AUTOMATICALLY TO MINIMIZE MANUAL WORK

You must keep a detailed record of all conversations with your third parties about the issue(s) in question. Automated reporting minimizes your work and provides an excellent paper trail when an auditor needs proof that a specific issue was addressed.

FINALLY, LET'S TALK ABOUT RESOLUTION

NEXT PAGE →