IDC PlanScape: IT Security Third-Party Risk Management

Description

This IDC PlanScape focuses on how to develop a third-party risk management program from a CISO perspective."Third-party products and services are not just 'nice to haves' but 'must-haves' in a modern business environment. Just think about the latest wave of AI. It would be practically impossible to move at speed without relying on at least some third parties. This introduces risk, which can be greatly reduced by making the right choices upon selection of third parties and in ongoing use of their products and services," says Nick Kirtley, adjunct research advisor, IT Executive Programs (IEP), IDC.

Product Code: US54268726

IDC PlanScape Figure

Executive Summary

Why Is IT Security Third-Party Risk Management Important?

What Is IT Security Third-Party Risk Management?

Who Are the Key Stakeholders?

How Can My Organization Take Advantage of IT Security Third-Party Risk Management?

Begin with supporting assessments of new third parties
Use contract renewals as an opportunity to address shortcomings
Prioritize third parties
Require security attestations and certificates
Register third-party risks and shortcomings
Use regulatory requirements to push for improved minimum security requirements
Perform periodic reviews
Use external scanning services
Ensure internal organization-side security measures are implemented
Consider privacy requirements
Implement security monitoring of third-party products and services
Prevent unsanctioned third parties and shadow IT and services
Use a third-party risk exchange
Develop and improve questionnaires and security requirements to cover major risks