In 1624, John Donne penned the famous words “No man is an island” as the opening verse to his Meditation 17. Today, with the digital age firmly upon us, these words ring true for individuals as well as enterprises. No enterprise is truly self-contained and able to operate autonomously. Herein lies perhaps one of the great challenges for enterprise security in our era.
As companies grow and become interdependent upon each other, the issue of third-party risk rises to the forefront in boardrooms across the globe. Whether the relationship is strategic and prominent, or operates in the background – the threats that each third party relationship poses to the enterprise is very real. Strategic outsourcing creates vast opportunities for efficiency and cost reduction while taking non-core functions of business and moving them to a third party. The unknown business risk taken on as a result of this type of relationship – whether it’s a third-party market research firm, a credit card processor, or manufacturing partner – is a source of consternation for CISOs that must be managed more effectively.
The interdependency of connected systems and business relationships requires a strong third-party risk plan that extends beyond traditional IT. The initial step is often to take an IT-focused view and investigate third-party network interconnections and data handoffs; but ultimately this is simply just the first stage of work. Third-party risk must be analyzed across the various risk categories, including relationship and business profile risk perspective, to create a complete and actionable picture.