How IT Execs Should Set the Tone for Security

Karen A. Frenkel Avatar

Updated on:

How IT Execs Should Set the Tone for Securit

How IT Execs Should Set the Tone for SecurityHow IT Execs Should Set the Tone for Security

Executives have a responsibility to practice what they preach, so setting the proper security tone impacts employees and can affect a company’s third-party risk.

Benefits of Positive Tone at the TopBenefits of Positive Tone at the Top

Reduces the risk of working with untrustworthy third parties (71%). Incorporates integrity, ethics and trustworthiness in relationships with third parties (66%). Increases employee and third-party awareness of the importance of security, data protection and business resiliency (43%)

Third-Party Risk Management Is SeriousThird-Party Risk Management Is Serious

75% of respondents say third-party risk is serious and of these, 70% say it is increasing or significantly increasing.

Disruptive Technologies Are Increasing Third-Party RiskDisruptive Technologies Are Increasing Third-Party Risk

The Internet of things and migration to the cloud are expected to increase third-party risk by 60% and 68% of respondents, respectively.

Cyber Attacks and IoT's Impact on RiskCyber Attacks and IoT’s Impact on Risk

78% of respondents say cyber-attacks will have a significant impact on their risk profile. 76% say the Internet of things will have a significant impact. Cloud computing, mobile, and big data analytics will have a significant impact according to 71%, 67% and 51% of respondents, respectively.

Third-Party Risk Not a Primary Risk Management ObjectiveThird-Party Risk Not a Primary Risk Management Objective

Although they recognize the seriousness of third-party risk, respondents say the top two risk management objectives are to minimize downtime (56%) and minimize business disruptions (37%).

Not Managing Third-Party Risk Can Be ExpensiveNot Managing Third-Party Risk Can Be Expensive

During the past 12 months, respondents spent an average of $10 million to respond to security incidents because of negligent or malicious third parties.

Few Formal Third-Party Risk Management ProgramsFew Formal Third-Party Risk Management Programs

The incentive to create a comprehensive program for mismanagement is low. Only 29% of respondents say they have a formal program.

Consequence of No Third-Party Risk Management ProgramConsequence of No Third-Party Risk Management Program

Asked to rate the effectiveness of their organization’s ability to mitigate or curtail third-party risk, 21% of respondents said they considered theirs highly effective (7+ on a scale of 1 to 10).

Accountability for Third-Party Risk ManagementAccountability for Third-Party Risk Management

23% of respondents say the compliance department is responsible for managing third-party risk. 17% say it is the information security department’s job.

C-Level Executives Not EngagedC-Level Executives Not Engaged

Only 37% of respondents say C-level executives in their organization believe they are ultimately accountable for the effectiveness of third-party management. 50% of respondents do not believe risk management is aligned with business goals, which senior management determines.

Boards of Directors Not EngagedBoards of Directors Not Engaged

Boards of directors are not significantly involved, according to 17% of respondents, or have some involvement in overseeing risk management activities, according to 23% of respondents.

Karen A. Frenkel Avatar