Third-Party Risk: The Cybersecurity Blind Spot You Can't Ignore
Bridging the Gap Between Procurement, IT, and Cybersecurity for Comprehensive Risk Management
Cybersecurity is today one of the fastest evolving sectors in Technology, and those of us who have weathered the journey in Cyber over the past 10 years or more can attest to the fact that the journey has been more of a sprint than a steady-paced evolution.
Companies of all sizes face unprecedented challenges in safeguarding data and operations; none are spared the scrutiny of threat actors and their tooling. Organisations increasingly rely on third-party vendors, SaaS solutions, cloud services, and extended supply chains to drive efficiency and innovation, which means that the attack surface has expanded exponentially. This (r)evolution has left many companies vulnerable to threats that originate not within their own systems and infrastructure but through third-party and supply chain networks—vulnerabilities that easily cascade throughout interconnected systems, wreaking havoc like an avalanche.
The infamous breaches at Kaseya and SolarWinds stand as stark reminders of how a single weak point in the supply chain can paralyse organisations globally. And as the 2024 CrowdStrike-induced global system outage reminded us, we're not only subjected to the risk from malicious actors; sometimes, accidental misconfigurations and updates from trusted security applications create the same supply chain risks.
"Vulnerabilities in one part of the supply chain can quickly spread to other areas, amplifying the impact of any given breach."
These incidents have highlighted a growing gap in how enterprises manage cybersecurity risks, particularly when it comes to the involvement of third parties. The 'risk coverage gap'—a term now gaining traction—refers to the misalignment between an enterprise's internal security controls and the external risks posed by vendors and supply chain partners. Addressing this gap requires a rethinking of enterprise risk frameworks and a more integrated approach to cybersecurity.
The Risk Coverage Gap: An Unintended Consequence of Fragmented Risk Frameworks
At the heart of this issue lies the fragmented nature of traditional enterprise risk management frameworks. These frameworks are often designed to identify and mitigate a wide range of risks across various functions, from financial to operational to compliance risks. However, in practice, the control environments supporting these frameworks tend to be disjointed, with different departments operating under independent control frameworks. Each function—whether procurement, IT, or cybersecurity—focuses on its own set of priorities, inadvertently creating gaps in the organisation's overall risk coverage.
For example, while procurement teams may be focused on financial and contractual risks associated with vendors, they often overlook critical cybersecurity considerations. Similarly, IT operations might prioritise system performance and availability, leaving cybersecurity teams to focus on direct threats to the organisation. These silos create blind spots where risks are either inadequately managed or missed altogether. This is particularly concerning when it comes to third-party risks, where vulnerabilities in one vendor's system can have far-reaching consequences throughout the supply chain.
A Growing Reliance on Third Parties
The reliance on third parties to deliver key business services is growing exponentially. As organisations outsource more of their operations—whether for cost savings, scalability, or access to specialised expertise—they become increasingly dependent on the security practices of these external vendors. Yet, many enterprises still approach third-party risk as a sub-function of Third Party Management (TPM) in a legal context and not in the context of the risk that these third parties introduce to the organisation. This is often exacerbated by the fact that the TPM process then delegates responsibilities to IT, Operations and Procurement, all governed by independent policies and procedures that are not fully integrated into the broader risk management framework.
This fragmented approach leads to inconsistent risk assessments and incomplete visibility into how third-party risks affect the organisation's overall security posture. Without a unified framework to manage these risks, organisations often fail to account for the compounded effects of multiple vulnerabilities and security risks across their vendor networks, leaving them exposed to potential security breaches, data loss, or operational disruptions which could have been mitigated through a more cohesive risk management approach.
The Compounding Nature of Cyber Risk
Complicating matters further is the fact that cybersecurity risks are rarely isolated. The interconnected nature of modern enterprise ecosystems means that vulnerabilities in one part of the supply chain can quickly spread to other areas, amplifying the impact of any given breach. Threat actors increasingly exploit these weak links, targeting not the organisation itself but also its suppliers, partners, or service providers to gain entry. By penetrating the organisation's perimeter through a trusted relationship in the supply chain, it allows them to bypass traditional security measures and compromise the entire network.
“By breaking down silos and integrating third-party risk management into the broader enterprise risk framework, organisations can close the risk coverage gap and build a more resilient cybersecurity posture.”
The Kaseya and SolarWinds breaches are prime examples of this phenomenon. In both cases, attackers leveraged vulnerabilities in third-party systems to gain access to larger networks, causing widespread damage. These incidents underscore the importance of addressing the risk coverage gap, as the traditional 'perimeter defence' model is no longer sufficient to protect enterprises from increasingly sophisticated supply chain attacks.
Closing the Gap: Toward a More Integrated Risk Management Approach
To effectively manage third-party cybersecurity risks, we can see that organisations must rethink their approach to risk management. A more integrated, cohesive framework is needed—one that aligns the risk management efforts of procurement, IT operations, and cybersecurity to create a unified defence against external threats. This, in theory, sounds easy but is hard to achieve unless we change the way we perceive risk.
First and foremost, enterprises should ensure that cybersecurity considerations are embedded from the very beginning of the third-party relationship. This means not only evaluating vendors based on cost and service delivery but also assessing their cybersecurity posture and requiring regular security reviews throughout the relationship. Additionally, enterprises must adopt continuous monitoring strategies that provide real-time visibility into vendor activities, allowing for early detection of potential vulnerabilities or breaches. This necessarily also means that Cybersecurity is empowered (legally, through contractual clauses) to engage with, including red-lining engagements for termination, in cases where critical deficiencies or vulnerabilities aren't remediated within agreed SLAs by the third-party vendor.
Another key step is fostering greater collaboration across departments. Procurement, IT, and cybersecurity teams must work together to identify cross-functional risks and develop coordinated control and response plans. By breaking down silos and integrating third-party risk management into the broader enterprise risk framework, organisations can close the risk coverage gap and build a more resilient cybersecurity posture.
The risk coverage gap is a significant and growing threat to enterprise security. As organisations continue to rely on third parties for critical business functions, the need for a more integrated, comprehensive approach to managing third-party and supply chain risks has never been more urgent. By focusing on this gap, redefining the end-to-end TPM process, and fostering cross-departmental collaboration, organisations can better protect themselves against these types of supply chain risks as well as becoming better prepared to counter the evolving threat landscape and embed long-term operational resilience.
Here are some more details on the breaches I mentioned earlier:
SolarWinds: The untold story of SolarWinds [Wired]
The Intricate Web of Third-Party Cybersecurity Risk (ISACA)
This is the first of a series of posts that focus on the how we can rebuild and integrate more efficient third-party risk management across the organisation. Keep a look out for additional posts.
In the meanwhile, you might also like this: