How IT Execs Should Set the Tone for Securit
Executives have a responsibility to practice what they preach, so setting the proper security tone impacts employees and can affect a company’s third-party risk.
Reduces the risk of working with untrustworthy third parties (71%). Incorporates integrity, ethics and trustworthiness in relationships with third parties (66%). Increases employee and third-party awareness of the importance of security, data protection and business resiliency (43%)
75% of respondents say third-party risk is serious and of these, 70% say it is increasing or significantly increasing.
The Internet of things and migration to the cloud are expected to increase third-party risk by 60% and 68% of respondents, respectively.
78% of respondents say cyber-attacks will have a significant impact on their risk profile. 76% say the Internet of things will have a significant impact. Cloud computing, mobile, and big data analytics will have a significant impact according to 71%, 67% and 51% of respondents, respectively.
Although they recognize the seriousness of third-party risk, respondents say the top two risk management objectives are to minimize downtime (56%) and minimize business disruptions (37%).
During the past 12 months, respondents spent an average of $10 million to respond to security incidents because of negligent or malicious third parties.
The incentive to create a comprehensive program for mismanagement is low. Only 29% of respondents say they have a formal program.
Asked to rate the effectiveness of their organization’s ability to mitigate or curtail third-party risk, 21% of respondents said they considered theirs highly effective (7+ on a scale of 1 to 10).
23% of respondents say the compliance department is responsible for managing third-party risk. 17% say it is the information security department’s job.
Only 37% of respondents say C-level executives in their organization believe they are ultimately accountable for the effectiveness of third-party management. 50% of respondents do not believe risk management is aligned with business goals, which senior management determines.
Boards of directors are not significantly involved, according to 17% of respondents, or have some involvement in overseeing risk management activities, according to 23% of respondents.