June 07, 2024
Cyber Risk

Key Takeaways from Gartner Security & Risk Summit 2024

By Resha Chheda

The recently concluded Gartner Security & Risk Summit 2024 was nothing short of insightful, boasting a lineup of enriching sessions that delved deep into the realm of cybersecurity. While conversations regarding AI security took center stage as anticipated, an unexpected spotlight shone on the crucial topic of Third-Party Risk Management (TPRM).

Surging Third-Party Risks

The opening Gartner keynote address covered third-party cyber risk management as one of the two key investment focus areas for organizations.

The keynote discussed the increasing interruptions caused by third parties, which surged by a staggering 45% from last year. Gartner experts mentioned that despite the cyber risks, 40% of the time, business sponsors move forward with vendors because of lack of effective third-party risk management programs. The session recommended organizations follow strategies such as bringing business continuity management to Third-Party Cyber Risk Management as well the recommended partnering with the third parties to mature their risk management practices.

Third-party risk management also took center stage in the discussion on emerging technologies in security and risk management for the year ahead. This shift in emphasis might have initially seemed surprising, but the statistics shed light on its relevance, where third-party breaches occur much more frequently than organizations realize.

What Accounts for the Increase in Third-party Incidents Despite the Market Being Inundated with TPRM Solutions?

We need to address the root issues of how third-party risk is managed. In retrospection, our traditional model of third-party risk management carries several flaws:

  1. Self-Assessment Questionnaires: Traditional reliance on extensive questionnaires often led to superficial responses that failed to translate into robust security practices.
  2. Incident Likelihood Focus: Past approaches prioritized reducing incident likelihood without thorough verification of remediation efforts.
  3. Compliance Chasing: Pursuing compliance without ensuring meaningful security outcomes resulted in lingering vulnerabilities.
  4. Generic Contracts: Broad contract language lacked specificity, leaving room for interpretation and ambiguity.
  5. Per-Party Payment Model: Financial and logistical burdens hindered scalable risk management efforts for each third party.

Strategies for Effective Mitigation of Third-Party Risk

Given these issues, what measures can organizations take to effectively manage third-party risk?

Our CISO panel session, featuring Michael Johnson, CISO of Meta Financial Technologies, Michael Elmore, CISO of GSK, and Sri Manda, CTSO of Peloton Interactive, discussed the following strategies for fixing third-party risk management:

  1. Prioritize and Prove: Instead of a scattergun approach, focus on a clear set of priority controls and demand evidence of implementation.
  2. Zero Trust For Third Parties: Adopt a stance that incidents will occur and manage their impact using Zero Trust controls.
  3. Partner to Raise the Bar: Assist third parties in improving their security by offering tools, training, and AI-assisted control assessments.
  4. Risk-Based Third-Party Prioritization: Drive third-party actions based on their risk to your business, targeting the most recommended controls improvements.
  5. Scale Cost-Effectively: Implement fixed pricing models that allow you to manage any number of third parties, improving coverage and reducing costs.

Conclusion: A Call to Action for a More Effective Third-Party Risk Management

In conclusion, while AI and machine learning remain at the forefront of cybersecurity advancement, the Gartner Security & Risk Summit 2024 reminded us that effectively managing third-party risk is equally critical. The lessons learned point towards a paradigm shift where risk management must be dynamic, evidence-based, and collaborative.

CISOs and security leaders need to adopt a business-oriented approach to cybersecurity. By refocusing on strategic risk management rather than just compliance, organizations can improve resilience against the evolving threat landscape.

SAFE TPRM solution represents a major shift in how third-party cybersecurity risks are measured and managed. Unlike traditional methods, which provide a piecemeal view with static data, SAFE TPRM integrates diverse risk indicators into a single, clear perspective. This integration allows businesses to see not just snapshots but a continuous, real-time view of their entire third-party ecosystem.

Schedule a demo with a cyber risk expert to explore how SAFE can elevate your third-party cyber risk management approach.