To mitigate the cyber risks associated with third-party providers, it’s important to continuously monitor their information security controls and other cyber threats

By Bryan Sartin, Vice President of Security & Resiliency at Kyndryl

Many organizations are looking outside their own IT departments to expand their digital footprint and power business processes. But a complex IT partner ecosystem could also create several potential risks. 

If a third-party vendor experiences an exposure, breach or downtime, your business could suffer as well. For instance, bad actors may try a third-party entry point to get into your organization’s systems and either infect them, steal data or disrupt business operations.

Consider this: According to a new Kyndryl survey, 52% of organizations said a third-party exposure, breach or downtime would have a very or extremely negative impact on their business if it were to occur.

Understanding an organization’s IT vendor ecosystem can be challenging, as many vendors frequently engage with multiple layers of third, fourth or even fifth outsourced parties. 

At many organizations, third-party risk management resources are limited, with sporadic assessments of third-party risk or reviews by under-resourced teams — that could put the organization at risk. Additionally, compliance and data regulations are also a challenge, especially depending on the industry and geography your organization operates in. 

Strong third-party risk management programs are foundational for organizations to better anticipate IT threats that might impact their operations.

These five strategies can help leaders better mitigate and manage third-party IT risks.

Young diverse african american female coworkers working together on start up project. Business people meeting around a boardroom table discussing creative concept, holding tablet

1. Align the IT vendor risk-management strategy to business objectives

It is important to tie the organization’s IT third-party risk management strategy to its risk tolerance (the amount of risk the organization is willing to accept to achieve its goals). This provides foundational guidance for the organization as it evolves its program.

Business presentation, man and leadership with seminar and analytics of a worker. Workshop, employee and team with brainstorming and creative design strategy with teamwork and marketing collaboration.

2. Help your IT team understand vendor roles and responsibilities

There are many teams within an organization that play a crucial role in addressing IT third-party risks. For example, procurement is responsible for performing due diligence on any potential third-party, while legal will ensure important contractual safeguards/obligations and regulatory requirements are met. Similarly, the security team will review the security controls to make sure the vendor is properly protecting any data that is shared. Understanding the roles and responsibilities of each team will help create a more cohesive third-party risk management program.

Happy mid aged business woman manager handshaking greeting client in office. Smiling female executive making successful deal with partner shaking hand at work standing at meeting table.

3. Communicate often

Creating an open and transparent relationship with regular communication allows the third-party vendor to quickly inform the organization of any risks and challenges related to business disruption.

Creative people, team and thinking in planning for schedule brainstorming or meeting at office. Man and woman in teamwork decision for project plan, tasks or sticky note ideas in startup at workplace.

4. Diversify your suppliers

While diversifying suppliers across different regions can reduce the effect of sudden cyber disruptions, it’s also important not to have too many.

Laptop, planning and teamwork with business people in meeting from above for data, chart and strategy. Project management, budget and report with employees in office for finance, graph and research.

5. Remember to assess often

Because third-party IT risk management is a continuous process, it is critical for organizations to consistently update their risk register and risk reporting, while also considering the evolving digital environment and how it could affect the business.

With a strong cybersecurity and incident response plan in place, CISOs and IT leaders can mitigate attacks and other risks by continually collecting, processing and analyzing third-party risk management data. This fundamental mindset shift — from preventing to planning — makes the cybersecurity field more critical than ever.

In recognition of Cybersecurity Awareness Month, this is the second installment of a weekly series in October that highlights how organizations can anticipate, protect against, withstand and recover from cyberattacks.

Bryan Sartin

Vice President of Security & Resiliency at Kyndryl