The Impact of Low Maturity in Cybersecurity on Third-Party Risk Management
The global pandemic has presented a myriad of challenges to organizations, with IT infrastructure and security taking center stage. CISOs are grappling with the complex task of safeguarding the five pillars of security: identity, devices, network, data, and applications. The Cisco Cybersecurity Readiness Report reveals that while progress is being made, there is significant room for improvement, which can have direct implications on third-party risk management (TPRM).
The report indicates uneven progress across the five pillars. Identity management, considered the most critical area, has nearly three in five respondents (58%) in the Formative or Beginner category. However, 95% have at least started deploying a solution. Similarly, over half (56%) of respondents working to protect their networks are at the lower end of the readiness spectrum, with 50% planning to finalize deployments within the next 12 months.
Device protection shows the most progress, with 31% of organizations achieving the highest readiness category. However, more than half (56%) are still in the Formative or Beginner stage. In application workload protection, 97% have deployed a solution, but nearly two-thirds (64%) are in the Formative or Beginner stage. Data protection, on the other hand, has 98% of respondents with solutions in place, and half (50%) are in the Mature and Progressive categories.
The overall picture might appear positive, but the slow deployment of solutions, particularly for identity, devices, and networks, leaves organizations vulnerable to attacks. These consequences cannot be ignored, and readiness should be a priority for all organizations, with an emphasis on accelerated solution deployment.
While an organization might have addressed its most critical security areas, low maturity companies within its ecosystem can still create vulnerabilities and impact overall security.
The following section will explore how partnering with low maturity companies can have significant consequences for an organization’s security and highlight the importance of comprehensive third-party risk management.
When organizations collaborate with suppliers, vendors, or service providers, they often share sensitive information and grant access to critical systems or resources. Low maturity companies may not have robust security measures in place, which can inadvertently introduce vulnerabilities into the organization’s environment. These vulnerabilities can potentially be exploited by threat actors, leading to data breaches, intellectual property theft, or other security incidents.
Additionally, low maturity companies may not have the necessary processes, resources, or expertise to effectively manage and mitigate security risks. This can result in an increased likelihood of security incidents and a reduced ability to respond to and recover from such events. Furthermore, these companies may not be aware of the latest threats, regulatory requirements, or industry best practices, which can further compound their risk exposure.
To mitigate the risks associated with low maturity companies in their ecosystem, organizations should adopt a proactive and comprehensive third-party risk management (TPRM) approach.
Key elements of a successful TPRM strategy include:
- Risk assessment: Conduct thorough due diligence and risk assessments of all third parties before entering into a relationship. This should include evaluating their security posture, maturity level, and compliance with relevant industry standards and regulations.
- Continuous monitoring: Implement ongoing monitoring of third-party security performance, compliance, and risk exposure. This should involve regular audits, assessments, and reviews to identify emerging risks and ensure adherence to security requirements.
- Contractual obligations: Incorporate clear security requirements, expectations, and responsibilities into contractual agreements with third parties. This should cover areas such as data protection, incident response, and regulatory compliance.
- Security awareness and training: Encourage third parties to invest in security awareness and training programs for their employees. This can help to reduce the risk of human error and promote a culture of security within their organization.
- Incident response and recovery: Establish clear procedures for incident response and recovery, including communication protocols, roles, and responsibilities. Ensure that third parties are aligned with these procedures and have the necessary capabilities to respond effectively to security incidents.
In conclusion, the Cisco Cybersecurity Readiness Report highlights the importance of accelerating cybersecurity solution deployments to enhance overall security efforts, holistically. By focusing on improving their cybersecurity maturity, organizations can better manage the risks associated with third-party relationships as well, and ensure the security and success of their business operations within their ecosystem. We are certainly talking about a shared responsibility nowadays, rather than our own security maturity.
By Magda Chelly
Chief Security Officer | TEDx Speaker | Author & Keynote Speaker | IFSEC Global Top 20 Cybersecurity Influencer | Entrepreneur | PhD, S-CISO, CISSP, Cert SCI (General Insurance)
Find out on magda-on-cyber.com
Follow Magda on Twitter: https://twitter.com/m49D4ch3lly
- The IFSEC Global influencers in security and fire 2021
- Top Women in Security Asean Region 2021 Awards https://www.asiapacificsecuritymagazine.com/winners-and-judges-of-the-top-women-in-security-asean-region-2021-awards/
Follow Magda on her Social Media Accounts:
- LinkedIn: https://www.linkedin.com/in/m49d4ch3lly
- Twitter: https://twitter.com/m49D4ch3lly
- Facebook: https://www.facebook.com/m49d4ch3ly
- Instagram: https://www.instagram.com/m49d4ch3lly