Despite increased investments in third-party cybersecurity risk management (TPCRM) over the last two years, 45% of organizations experienced third party-related business interruptions, according to a new Gartner, Inc. survey.

“Third-party cybersecurity risk management is often resource-intensive, overly process-oriented and has little to show for in terms of results,” said Zachary Smith, Sr Principal Research at Gartner. “Cybersecurity teams struggle to build resilience against third party-related disruptions and to influence third party-related business decisions.”

The survey was conducted in July and August 2023 among 376 senior executives involved in third-party cybersecurity risk management across organizations from different industries, geographies and sizes.

Effective TPCRM Depends on Delivery of Three Outcomes
Successful management of third-party cybersecurity risk depends on the security organization’s ability to deliver on three outcomes – resource efficiency, risk management and resilience and influence on business decision making. However, enterprises struggle to be effective in two out of those three outcomes, and only 6% of organizations are effective in all three (see Fig. 1). 

Four Actions for Security Leaders to Manage Third-Party Cybersecurity Risks
Based on the survey findings, Gartner identified four actions that security and risk management leaders must take to increase their effectiveness in managing third-party cybersecurity risk. The survey found that organizations that implemented any of these actions saw a 40-50% increase in TPCRM effectiveness.

These actions include:

1. Regularly review how effectively third-party risks are communicated to the business owner of the third-party relationship: Chief information security officers (CISOs) need to regularly review how well the business understands their messaging around third-party risks to ensure they are providing actionable insights around those risks.
2. Track third-party contract decisions to help manage risk acceptance by business owners: Business owners will often choose to engage with a third party even if they are well-informed about associated cybersecurity risks. Tracking decisions helps security teams align compensating controls for risk acceptances and alerts security teams to particularly risky business owners that may require greater cybersecurity oversight.
3. Conduct third-party incident response planning (e.g., playbooks, tabletop exercises): Effective TPCRM goes beyond identifying and reporting cybersecurity risks. CISOs must ensure the organization has strong contingency plans in place to prepare for unexpected scenarios and to be able to recover well in the wake of an incident.
4. Work with critical third parties to mature their security risk management practices as necessary: In a hyperconnected environment, a critical third-party’s risk is also an organization’s risk. Partnering with the critical third parties to improve their security risk management practices helps promote transparency and collaboration. 

Gartner clients can read more in “Infographic: Minimize Disruption from Third-Party Cybersecurity Risks.”

Gartner Security & Risk Management Summit 
Gartner analysts will present the latest research and advice for security and risk management leaders at the Gartner Security & Risk Management Summits, taking place February 12-13, 2024 in Dubai, February 26-27 in India, March 18-19 in Sydney, June 3-5 in National Harbor, MD, July 24-26 in Tokyo and September 23-25 in London. Follow news and updates from the conferences on X using #GartnerSEC.

About Gartner for Cybersecurity Leaders
Gartner for Cybersecurity Leaders equips security leaders with the tools to help reframe roles, align security strategy to business objectives and build programs to balance protection with the needs of the organization. Additional information is available at https://www.gartner.com/en/cybersecurity/products/gartner-for-cisos.

Follow news and updates from Gartner for Cybersecurity Leaders on X and LinkedIn using #GartnerSEC. Visit the Gartner Newsroom for more information and insights.