Why are Organizations Not Managing Third-Party Security Risk?

The word “why” is a beautiful word. It defines purpose and it motivates learning. When we were young, we asked “why” about everything. Why is grass green? Why do people work? Why does Johnny’s dad smell like cheese? It didn’t matter what the wonder was about, we’d ask for answers regardless of the circumstance. Our parents got tired of answering the questions, and eventually we stopped asking “why” every chance we had.

That’s too bad. Asking “why” is natural and it’s healthy. This brings us to the point of this article. Two seemingly simple questions:

  1. Why do we do third-party information security risk management?
  2. Why don’t we do third-party information security risk management?

You either have no “why”, you have the wrong “why” or you have the correct “why”. It’s that simple. I’ll explain, starting with the correct “why”.

Correct Why

The right or correct “why” is you want to manage information security well. This is easy. It’s logical. Crystal clear logic:

  1. If information security is managing risk, and
  2. One or more third-parties pose a risk to your information, then
  3. Third-party information security risk management is part of information security.

Maybe your “why” is more noble. Maybe you want to serve your patron, customers, or patients well. Same logic, just up a level. Here’s this logic:

  1. If you want to serve your customers well, and
  2. This included protecting their information, and
  3. Information security is managing risk, and
  4. One or more third-parties pose a risk to your information, then
  5. Third-party information security risk management is part of treating your customers well.

If you have the right “why”, then kudos to you! Seriously, thank you for doing the right thing.

The right “why” is the reason you do what you do, and this leads you to doing things the right way too. It’s important to be efficient, but without taking shortcuts. In order for your third-party information security risk management process to be most effective, it must account for administrative, physical and technical controls.

The facts are:

  1. You cannot manage information security well without accounting for third-party information security risk.
  2. You cannot serve your customers well without accounting for third-party information security risk.
  3. You are taking significant shortcuts if you’re not accounting for administrative, physical, and technical controls.

Now you know the correct “why”. If you don’t have the same or similar “why”, you’re either wasting your money (and time) or you might not care.

Wrong Why

There are two common reasons for doing third-party information security risk management that are wrong. The first is compliance. The second is the “herd mentality”. Compliance leads to doing the minimum necessary, complying with the letter of law versus the intent of the law. Doing what everyone else is doing assumes that everyone else know what they’re doing.

The wrong why is certain to lead to wasted resources and half-baked results.

No Why

Having no “why” means you don’t do third-party information security risk management, or you are, but you’re not sure why you are.

Ask yourself. Define your purpose and align your third-party information security risk management processes.

Conclusion

There isn’t any legitimate excuse for doing third-party information security management, assuming that one or more of your vendors poses any significant risk to your information. If you chose to do information security risk management for the right reasons, be sure to account for information security risk in administrative, physical, and technical controls. Taking shortcuts will surely lead to problems in the future.

Third-party information security risk management is NOT optional, so be sure to do it right.

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *