Do not fill in this field

Enter no text in this field

Get Instant Access
to This Blueprint

Business Email

Full Name

Company

Phone

Job Title

More than any other time, our world is changing. As a result, organizations – and their vendors – need to be able to adapt their plans to accommodate risk on an unprecedented level.
A new global change will impact your organization at any given time. Ensure that you monitor threats appropriately and that your plans are flexible enough to manage the inevitable consequences.

Our Advice

Critical Insight

Identifying and managing a vendor’s potential security risk impacts on your organization requires multiple people in the organization across several functions. Those people all need coaching on the potential changes in the market and how these changes could introduce new risks.
Organizational leadership is often taken unaware during crises, and their plans lack the flexibility needed to adjust to significant market upheavals and surprise incidents.

Impact and Result

Vendor management practices educate organizations on the potential risks from vendors in your market and suggest creative and alternative ways to avoid and manage them.
Prioritize and classify your vendors with quantifiable, standardized rankings.
Prioritize focus on your high-risk vendors.
Standardize your processes for identifying and monitoring vendor risks to manage potential impacts with our Security Risk Impact Tool.

Identify and Manage Security Risk Impacts on Your Organization Research & Tools

1. Identify and Manage Security Risk Impacts on Your Organization Deck – Use the research to better understand the negative impacts of vendor actions on your security.

Use this research to identify and quantify the potential security impacts caused by vendors. Use Info-Tech’s approach to look at the security impacts from various perspectives to better prepare for issues that may arise.

2. Security Risk Impact Tool – Use this tool to help identify and quantify the security impacts of negative vendor actions.

By playing the “what if” game and asking probing questions to draw out – or eliminate – possible negative outcomes, everyone involved adds their insight into parts of the organization to gather a comprehensive picture of potential impacts.

Identify and Manage Security Risk Impacts on Your Organization

Know where the attacks are coming from so you know where to protect.

Analyst perspective

It is time to start looking at risk realistically and move away from “trust but verify” toward zero trust.

Frank Sewell, Research Director, Vendor Management

Frank Sewell,
Research Director, Vendor Management
Info-Tech Research Group

We are inundated with a barrage of news about security incidents on what seems like a daily basis. In such an environment, it is easy to forget that there are ways to help prevent such things from happening and that they have actual costs if we relax our diligence.

Most people are aware of defense strategies that help keep their organization safe from direct attack and inside threats. Likewise, they expect their trusted partners to perform the same diligence. Unfortunately, as more organizations use cloud service vendors, the risks with n-party vendors are increasing.

Over the last few years, we have learned the harsh lesson that downstream attacks affect more businesses than we ever expected as suppliers, manufacturers of base goods and materials, and rising transportation costs affect the global economy.

“Trust but verify” – while a good concept – should give way to the more effective zero-trust model in favor of knowing it’s not a matter of if an incident happens but when.

Executive Summary

Your Challenge

More than any other time, our world is changing. As a result, organizations – and their vendors – need to be able to adapt their plans to accommodate risk on an unprecedented level.

A new global change will impact your organization at any given time. Ensure that you monitor threats appropriately and that your plans are flexible enough to manage the inevitable consequences.

Common Obstacles

Identifying and managing a vendor’s potential security risk impacts on your organization requires multiple people in the organization across several functions. Those people all need coaching on the potential changes in the market and how these changes could introduce new risks.

Organizational leadership is often taken unaware during crises, and their plans lack the flexibility needed to adjust to significant market upheavals and surprise incidents.

Info-Tech’s Approach

Vendor management practices educate organizations on the potential risks from vendors in your market and suggest creative and alternative ways to avoid and manage them.

Prioritize and classify your vendors with quantifiable, standardized rankings.

Prioritize focus on your high-risk vendors.

Standardize your processes for identifying and monitoring vendor risks to manage potential impacts with our Security Risk Impact Tool.

Info-Tech Insight
Organizations must evolve their security risk assessments to be more adaptive to respond to global changes in the market. Ongoing monitoring of third-party vendor risks and holding those vendors accountable throughout the vendor lifecycle are critical to preventing disastrous impacts.

Info-Tech’s multi-blueprint series on vendor risk assessment

There are many individual components of vendor risk beyond cybersecurity.

Multi-blueprint series on vendor risk assessment

This series will focus on the individual components of vendor risk and how vendor management practices can facilitate organizations’ understanding of those risks.

Out of Scope:
This series will not tackle risk governance, determining overall risk tolerance and appetite, or quantifying inherent risk.

Security risk impacts

Potential losses to the organization due to security incidents

In this blueprint we’ll explore security risks, particularly from third-party vendors, and their impacts.
Identify potentially disruptive events to assess the overall impact on organizations and implement adaptive measures to correct security plans.

The world is constantly changing

The IT market is constantly reacting to global influences. By anticipating changes, leaders can set expectations and work with their vendors to accommodate them.

When the unexpected happens, being able to adapt quickly to new priorities ensures continued long-term business success.

Below are some things no one expected to happen in the last few years:

62%	83%	84%
Ransomware attacks spiked 62% globally (and 158% in North America alone).	83% of companies increased organizational focus on third-party risk management in 2020.	In a 2020 survey, 84% of organizations reported having experienced a third-party incident in the last three years.
One Trust, 2022	Help Net Security, 2021	Deloitte, 2020

Identify and manage security risk impacts on your organization

Due diligence will enable successful outcomes.

What is third-party risk?

Third-Party Vendor: Anyone who provides goods or services to a company or individual in exchange for payment transacted with electronic instructions (Law Insider).

Third-Party Risk: The potential threat presented to organizations’ employee and customer data, financial information, and operations from the organization’s supply chain and other outside parties that provide products and/or services and have access to privileged systems (Awake Security).

It is essential to know not only who your vendors are but also who their vendors are (n-party vendors). Organizations often overlook that their vendors rely on others to support their business, and those layers can add risk to your organization.

Identify and manage security risks

Global Pandemic

Very few people could have predicted that a global pandemic would interrupt business on the scale experienced today. Organizations should look at their lessons learned and incorporate adaptable preparations into their security planning and ongoing monitoring moving forward.

Vendor Breaches

The IT market is an ever-shifting environment; more organizations are relying on cloud service vendors, staff augmentation, and other outside resources. Organizations should hold these vendors (and their downstream vendors) to the same levels of security and standards of conduct that they hold their internal resources.

Resource Shortages

A lack of resources is often overlooked, but it’s easily recognized as a reason for a security incident. All too often, companies are unwilling to dedicate resources to their vendors’ security risk assessment and ongoing monitoring needs. Only once an incident occurs do companies decide it is time to reprioritize.

About Info-Tech

Info-Tech Research Group is the world’s fastest-growing information technology research and advisory company, proudly serving over 30,000 IT professionals.

We produce unbiased and highly relevant research to help CIOs and IT leaders make strategic, timely, and well-informed decisions. We partner closely with IT teams to provide everything they need, from actionable tools to analyst guidance, ensuring they deliver measurable results for their organizations.

What Is a Blueprint?

A blueprint is designed to be a roadmap, containing a methodology and the tools and templates you need to solve your IT problems.

Each blueprint can be accompanied by a Guided Implementation that provides you access to our world-class analysts to help you get through the project.

Table of Contents

Talk to an Analyst

Our analyst calls are focused on helping our members use the research we produce, and our experts will guide you to successful project completion.

Book an Analyst Call on This Topic

You can start as early as tomorrow morning. Our analysts will explain the process during your first call.

Get Advice From a Subject Matter Expert

Each call will focus on explaining the material and helping you to plan your project, interpret and analyze the results of each project step, and set the direction for your next project step.