Comprehensive Software Reviews to make better IT decisions
No Surprise: New Survey Confirms That Most Organizations Are Ineffective at Third-Party Risk Management
A new report published by the Ponemon Institute confirms that organizations are spending an increasing amount on third-party risk management, but are failing to realize much value for their efforts. Risk prioritization may be the solution.
The report, titled “The Cost of Third-Party Cybersecurity Risk Management,” summarizes a survey of over 600 respondents. The key findings:
- A significant majority of respondents report that they spend between US$500,000 and US$5,000,000 annually on third-party cybersecurity risk management.
- However, approximately the same number also believe that their efforts are not particularly effective.
The overall conclusion of the report is that organizations don’t need to invest more in third-party risk management. Instead, they need to invest better. Interestingly, the findings don’t support a wholesale adoption of automation over manual processes. Instead, the key to greater efficiency seems to be better risk prioritization.
The survey was sponsored by CyberGRX, a third-party risk management vendor that offers security assessments as a service.
This report confirms Info-Tech’s recommendation that the best path towards an efficient and effective vendor security assessment process is one that uses risk to guide due diligence activities. Current vendor offerings in this space can play an important part of this process, but are not in and of themselves the solution to existing inefficiencies. We continue to assert that organizations should build a risk-based process and then consider how products or services may help drive improvements.
Want to Know More?
Osano recently released its SaaS privacy solution aimed at simplifying compliance and vendor assessments. The product feels familiar, but Osano’s ethical commitment sets it apart from the crowd.
TrustArc has announced the acquisition of Canadian counterpart, Nymity – a more boutique-style vendor known for its very high standard of privacy research, expertise which manifests in its product offering.
Data governance player Collibra recently announced the acquisition of SQLdep, a leading provider of automated data lineage.
Privacy by Design (PbD) is a General Data Protection Regulation (GDPR) requirement, but effective implementation requires deep insight into the operation and interconnection of various data collection processes. Thus, PbD can be difficult to document and demonstrate. However, Proteus may help.
BigID launches a certification program, aimed to help users, administrators, and organizations demonstrate compliance.
TrustArc’s introduction of Privacy Profile aims to solve an ongoing problem privacy professionals have: identifying all applicable regulations.
Quest Software’s new add-on module, Toad for Oracle Standard Data Protection (SDP), automates the detection and remediation of potential violations of data privacy regulations such as GDPR, HIPAA, and PCI.
Varonis Report Identifies Widespread Shortcomings of Organizational Data Security Despite Increased Pressure of Regulations
Varonis reports that even after GDPR, businesses still are failing to effectively protect sensitive data.
Nymity expands its product offering with the introduction of a new Data Subject Requests product.