Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Edge Ask The Experts

02:45 PM
Joshua Goldfarb
Joshua Goldfarb
Ask the Experts
Connect Directly

Any Advice for Assessing Third-Party Risk?

Here are five tips about what not to do when assessing the cyber-risk introduced by a third-party supplier.

Question: What are some important points to consider when looking to improve my third-party risk assessment function?

Josh Goldfarb, independent consultant: Most businesses work closely with and rely on third parties, suppliers, and vendors to help them accomplish their business objectives — but while third parties can provide many benefits to a business, they can also introduce risk.

So it’s important to holistically assess your third-party risk regularly. You should begin by prioritizing your risks and tailoring your third-party risk assessments accordingly. 

Here are a few things you should not do: 

  • Don't be afraid to have multiple questionnaires: Assign risk assessment questionnaires to each party based upon the size, type, criticality, and data sensitivity for each vendor.
  • Don't trust the answers you get: Leverage technology to verify and validate responses and to check that required controls are actually in place.
  • Don't end the process at the assessment phase: Build a work program for each vendor to bring them in line with your expectations.
  • Don't forget to measure: Each assessment should result in a tangible risk score that you can use to assess your exposure across individual vendors, various different segments of the supply chain, and the supply chain as a whole.
  • Don't stagnate: Remember to continually review your third-party risk assessment function amid evolving priorities, identify weak spots, and work to strengthen and improve them.

What do you advise? Let us know in the Comments section, below.

Do you have questions you'd like answered? Send them to [email protected].


Josh (Twitter: @ananalytical) is an experienced information security leader who works with enterprises to mature and improve their enterprise security programs.  Previously, Josh served as VP, CTO - Emerging Technologies at FireEye and as Chief Security Officer for ... View Full Bio


Recommended Reading:

Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
User Rank: Apprentice
9/17/2019 | 4:24:06 PM
Assessing Third Party Risk
How about instead of doing useless questionnaires, hold your vendors accountable to their contracts by making them sign and agree to what you need from them in a security addendum? Takes way less resources than going through useless vendor audits. Then audit only high risk vendors to what they agreed to do or have in place and are liable to in the contract. No one has the resources to audit all their vendors. 
User Rank: Author
10/22/2019 | 1:41:20 PM
Re: Assessing Third Party Risk
I think the key point about the questionnaires is not the questionnaires themselves but is instead the following bullet that advises on use of technology to check and enforce that things are happening as they should. This is something that I often see. The proactive element of protection is merely a paper exercise and then a lot of effort goes into reacting and assigning blame and accountability when something goes wrong. A little more effort with proactive protection technology goes a long way. I'm not saying the other elements aren't needed but rather there is a gap in the overall approach that people currently take.
Building Cybersecurity Strategies in Sub-Saharan Africa

Filmed for Dark Reading News Desk at Black Hat Virtual.

LAURA TICH: We have that imbalance, where the big organizations are more protected, where the smaller ones -- which are the most common businesses in the region -- they are least protected... Sometimes they do get the tools, they do get the funding to buy some critical tools, but there's a lack of skills to handle or people who understand how to work those tools. So there are a lot of factors that contribute to our growth -- or lack thereof -- in the cybersecurity industry.


Name That Toon: Tough Times, Tough Measures
Latest Comment: Wear a mask, please!
Flash Poll