Experts Cite Security Gaps in Current Third-Party Risk Management Practices
Vendors and Service Providers are Top Targets for Data Breach Attacks;
Experts Suggest Best Practices to Move from Risk Management to Risk Assurance
SANTA FE, N.M., May 20, 2014
SANTA FE, N.M., May 20, 2014 /PRNewswire/ -- Sophisticated networks of
criminals are penetrating databases in new complex methods, putting systems
that maintain high-value data such as personal identifiable information or
operational and systems data at high risk for breach. Third-party service
providers that warehouse terabytes of high-value data have become the latest
target, the weakest link in risk management strategy. In fact, the latest
benchmarking study—2014 Vendor Risk Management Benchmark Study—by Shared
Assessments and global consulting firm Protiviti, reveals serious
vulnerabilities and security risks to organizations that emerge from
outsourcing and partnering with third-party vendors. The study examines the
maturity of organizations' current vendor risk management programs and finds
significant risk gaps between companies and their vendors. To download a
complimentary copy of the report, please visit
How can organizations and companies manage data security risks when they lie
outside of their control? As evidenced by the study, the vendor management
landscape needs to move from risk management to risk assurance, a core topic
at the Shared Assessments Summit 2014.
Managing Third-Party Risks and Prevention Strategies
Shared Assessments asked top industry experts to comment on risk management
trends, best practices, and prevention strategies to manage the risks
associated with third-party service providers: Shared Assessments provides
risk management tools including the Vendor Risk Management Maturity Model
(VRMMM), a tool organizations use to measure the quality and maturity of their
existing risk management programs.
"The best way to prevent a data breach is to have a robust program to assess
how your vendors are managing data risks. That's the only control you have."
-Catherine A. Allen, chairman and CEO, The Santa Fe Group
"The combination of data breach occurrences, managing third-party risks, and
regulatory scrutiny are increasing organizations' liability and
responsibility. With data breach cybersecurity looming and so much at stake,
the onus is on organizations—especially in healthcare, retail, and financial
industries—to get their third-party risk programs in shape."
-Jonathan E. Dambrot, Shared Assessments Program vice-chair and managing
director, Prevalent Networks
"Vendors and service providers have an 'EZ-Pass' into companies' network
environments and are often granted access to the most sensitive data. When
outsourcing or partnering, companies need to exercise vendor due diligence the
same way they would safeguard critical assets and sensitive data in their own
possession. Companies can outsource the function but cannot outsource the
-RoccoGrillo, managing director and global leader for incident response and
forensic investigations, Protiviti
"Continually assessing vendor program and related controls is one of the best
ways to reduce uncertainty around managing third-party risks."
-Mark Holladay, chief risk officer, Synovus Financial Corporation
"The best risk management program within an organization means nothing if
compliance is outsourced along with production. Risk management must extend to
organizations' vendors to drive a full-fledged governance program."
-Kenneth P. Mortensen, Esq., attorney and counselor at law; privacy,
cybersecurity, and governance counselor
"As a service provider to financial institutions, we find that it's no longer
adequate to have a static strategy for managing risks. The threat landscape
changes so quickly, requiring a dynamic approach to managing risk along the
entire value chain of all third-parties that can be a weak link."
-Paul B. Poh, vice president, Technology Investment Services, FISERV, Inc.
"Companies need to do more than simply 'duck and cover' in this age of
cyberwar. Company-wide systems, training, and doctrine are crucial for many
current and evolving cyber-threats, but will not be sufficient for threats
emanating from a State or state-sponsored actor. As threats are becoming more
global, companies need accurate and timely information to think and act
proactively, giving them the ammunition to organize and push for the right
changes to be made in U.S. policy."
-Dr. Samantha Ravich, executive, senior advisor, The Chertoff Group
"Assessing and managing vendor risk is not a 'once and done' effort, but an
ongoing process for third-party risk at each phase of the lifecycle of the
third-party relationship, from on-boarding to ongoing monitoring, to exit
strategies. Mature programs should adopt a federated approach that brings
together all of the parts of an organization that play a role in third-party
risk management, to drive a holistic approach to vendor risk assurance."
- Linnea Solem, Shared Assessment Program Chair, and Chief Privacy
Officer/vice president at Deluxe Corporation
"The regulators have made it clear that from an ownership perspective there's
virtually no distinction between first-and third-party data risk. In that
environment, market and supplier vigilance is no longer a luxury—it's a
-Atul Vashistha, founder andCEO, Neo Group
About the Shared Assessments Program
The Shared Assessments Program is the trusted source in third-party risk
management, with resources to effectively manage the critical components of
the vendor risk management lifecycle; creating efficiencies and lowering costs
for all participants; kept current with regulations, industry standards and
guidelines, and the current threat environment; adopted globally across a
broad range of industries both by service providers and their customers.
Through membership and use of the Shared Assessments Program Tools (the Agreed
Upon Procedures, Standard Information Gathering questionnaire and Vendor Risk
Management Maturity Model), Shared Assessments offers companies and their
service providers a faster, more efficient and less costly means of conducting
rigorous assessments of controls for IT and data security, privacy and
business continuity. The Shared Assessments Program is managed by The Santa Fe
Group (www.santa-fe-group.com), a strategic consulting company based in Santa
Fe, New Mexico.
Contact: Lisa MacKenzie, MacKenzie Marketing Group, 503-705-3508,
firstname.lastname@example.org or Kelly Stremel, email@example.com
SOURCE Shared Assessments
Press spacebar to pause and continue. Press esc to stop.