Modernising third-party cyber risk management: whose risk agenda are you trying to satisfy?

Managing third-party cyber security risk in today’s highly connected businesses isn’t easy. Security and risk management teams are pulled in competing directions as they respond to the demands of regulators – echoed by the Board – to comply with legislation. Simultaneously they need to monitor and mitigate emerging risks that don’t appear on a regulator’s checklist but could have a critical impact on the business. The tension between competing risk agendas stretches in-house resources to breaking point and raises the possibility that, when new risk surfaces in the supply chain, the business is busy looking the other way.

Part of the problem is measurability. It is easier to understand, measure and demonstrate compliance with regulations than it is to understand the complex issues of devolved cyber risk in the supply chain. It is hard to put a value on the actions that prevent a breach from happening in the first place, whereas it is simpler to point to the penalties avoided when regulatory compliance is achieved. This can lead organisations to focus attention on the compliance side of the balance rather than on the deeper challenge of identifying vulnerabilities in the extended supplier ecosystem.