As we move into 2022, the pandemic persists and security needs increase. You’re probably already assessing the security controls of your top third party vendors through a TPRM program, but the third party risk surface keeps expanding at lightning speed. Are you ready to kickstart next year’s strategy to face new supply chain challenges and regulations?
In order to seize opportunities amid the uncertainty and forge a path to success, it’s critical for your organization to understand the forces that will shape our digital business world. Be ready by building these trends into your roadmap for the year ahead.
Vendor Risk Management Trends To Keep An Eye Out For In The New Year
1. The Interconnected Nature of Supply Chains Forces Attention on Securing Relationships
The accelerated digital transformation has increased reliance on each other, to the point where any given organization engages with dozens or hundreds of third party vendors.
You need to be sure you can trust everyone in your supply chain, fostering secure and transparent relationships. Any gaps in security or trust in your third-party relationships will greatly impact your organization’s decision making.
In fact, cybersecurity risk and security postures are increasingly used as a key factor in assessing business opportunities, such as hirings, mergers and acquisitions, venture capital investments, and vendor contracts. As a result, there will be more requests for data from one business to another via risk assessments, questionnaires, and security ratings.
Gartner predicts that by 2025, 60% of organizations will use cybersecurity risk as a primary determinant in conducting third-party transactions and business engagements.
2. Third Party Data Breaches Continue to Disrupt Supply Chains
A survey by the Ponemon Institute found that over half of organizations (51%) have experienced a data breach caused by third parties that led to the misuse of sensitive or confidential information.
According to Forrester, 60% of security incidents in 2022 will result from issues with third parties. With cyberattacks targeting vendors and suppliers, third-party incidents will increase and SolarWinds-style headlines will threaten organizations that don’t invest in third party risk management from the people, process, and technology perspective.
3. Risk Management Becomes Less Siloed and More Cross-Functional
Any business function that is conducted in silos needs to be revisited in 2022. Confining your risk management program coverage to a single risk domain is no longer feasible, as organizations are now expected to monitor multiple risk domains, including cybersecurity, data privacy, anti-bribery and corruption, ESG, quality, and more.
It’s time to think more broadly and develop holistic programs that collaborate with a cross-functional approach. When it comes to TPRM and monitoring and managing third-party relationships, it’s not recommended to operate in departmental silos (such as procurement, compliance, risk, IT security, data privacy etc.), but rather as a unit in charge of reducing the overall enterprise risk.
Programs are also extending deeper into supply chains to address these risks. It’s not just third parties that need to be accounted for, but fourth parties and beyond.
4. Zero Trust Adoption Increases as the Threat Landscape Expands
Many organizations recognize that a breach is all but certain to happen. However, if you take the necessary steps to contain it, the damage can be dramatically reduced.
Companies are allocating more budgets to map the potential spread of a breach, flag any vulnerabilities, and adopt new security practices, like zero trust. According to an IDG survey, 52% of organizations plan to research or pilot zero trust technology in 2022.
Unlike the perimeter security approach, based on the premise of ‘trust but verify’, Zero Trust suggests that, by default, organizations should never trust any internal or external entity that enters their perimeter. Considering that hybrid work increased the attack surface, it’s not safe anymore to think there’s a delimited perimeter in which you can trust everything and everyone.
The good news is that the shift to zero trust does not entail big efforts. In fact, you may already be using many of the ground tools and techniques of Zero Trust, such as access controls based on the principle of least privilege, asset management, or network segmentation, among others. From there, you can add additional layers for automation, orchestration, visibility, and analysis. All these controls integrate that in-depth defense approach that’s necessary to support Zero Trust.
5. Due diligence is resignified with Environmental, Social, and Corporate Governance (ESG)
Is ESG in your radar yet? With renewed focus from regulators, particularly in the EU, ESG is making its way into the top priorities of supply chain management. Organizations will not only be accountable for their own footprint and social impact, but also that of their third parties.
The demands of customers for commitment to ESG values are only growing stronger. In March 2021, the European Parliament voted for the adoption of a law that requires organizations to conduct environmental and human rights due diligence along their full value chain or face fines, sanctions, and/or civil liability.
Germany is also debating this. Under its Due Diligence Act, there would be fines for companies procuring parts or materials from foreign suppliers who fail to meet minimum human rights and environmental standards.
Considering GDPR’s precedent, it only takes one region to take the first step and more regulations will follow. This would require organizations to implement a risk-based approach to due diligence in order to address issues, or face penalties.
6. A Surge of New Regulations Catapults Cybersecurity Up the Board Agenda
After GDPR came Brazil’s General Personal Data Protection Law (LGPD) and the California Consumer Privacy Act (CCPA). Legislation for consumer privacy will keep rising — According to Gartner, by the end of 2023, it will cover the personal information of 75% of the world’s population.
This means customers and users alike will demand to know what kind of data you’re collecting and how it’s being used. It also means you’ll need a privacy management system that helps you standardize security operations in an easy and scalable manner, so you can adapt to different jurisdictions.
Apart from privacy, compliance with other industry regulations, such as OWASP, PCI, NERC, and NIST remains a must. In addition, the percentage of nation states passing legislation to regulate ransomware payments, fines and negotiations will rise to 30% by the end of 2025, compared to less than 1% in 2021.
7. The cybersecurity scope keeps expanding with Cyber Supply Chain Risk Management (C-SCRM)
The inevitable shift to global, digital, and interconnected supply chains put them in the spotlight.
In a future where everything is digitized and automated, C-SCRM is becoming the industry standard on how to define, measure, control, manage, and overcome the challenges deriving from supply chain uncertainty.
Examples of supply chain risks include counterfeits and unauthorized production, tampering, theft, insertion of malicious software and hardware, poor manufacturing and development practices, and more. Once again, the scope of enterprise risk management expands towards a holistic approach that goes beyond the traditional security questions.
This means TPRM programs need to evolve to better manage cyber risks across the end-to-end supply chain. To support this, NIST published the Key Practices in Cyber Supply Chain Risk Management, which sets out 8 key best practices designed to help organizations build a robust program.
8. Automation Becomes Standard Practice
Many of the challenges ahead call for more automation, in order to accelerate processes, increase visibility, and expand the scope of cybersecurity initiatives. The growing range of risks to manage and the increased regulatory pressure make automation essential, with the ability to reshuffle priorities and organize efforts by using the latest analytics.
Everything that can be automated will probably be. Market interest is high in AI, IoT, machine learning, digital twins, and robotic process automation (RPA), serving information to help leaders make decisions.
Forrester predicts new forms of automation will support one out of every four remote workers directly or indirectly by the end of this year. The analysts think many organizations will invest in conversational AI, machine learning, and hardware advances to help remote workers perform tasks that were previously done in the office or held high labor costs.
TPRM leaders can leverage the power of automation technology to increase efficiency, reduce repetitive work in vendor risk assessments, adopt continuous monitoring, and focus on the more strategic aspects of the program, rather than the administration.
9. Operational Resilience Becomes a Culture
When the pandemic put every plan to real-life action, it became clear that resilience (from an operation, business, and organizational perspective) needs to be embedded into every process, project, and application.
Gartner predicts that by 2025, 70% of CEOs will mandate a culture of organizational resilience to survive coincident threats from cybercrime, severe weather events, civil unrest, and political instabilities. The goal is to define organizational resilience objectives, and create an inventory of cyber risks that could potentially impact them, so you can stay ahead.
Organizational Resilience is more than Business Continuity Management (BCM), Operational Risk Management, Supply Chain Resilience or Third-Party Risk Management. It’s a combination of all of these, driven by a greater reliance on third party vendors, digital transformation, and rising cyberattacks.
10. A Focus on Internet-Facing Vulnerabilities and Cloud Application Security
Cybercriminals will keep targeting Internet-facing and cloud-based infrastructure. Organizations will need to do more to safeguard these assets as they increase adoption: By 2024, 30% of enterprises will adopt cloud-delivered Secure Web Gateway (SWG), Cloud Access Security Brokers (CASB), Zero Trust Network Access (ZTNA), and Firewall As A Service (FWaaS) capabilities, probably from the same vendor, according to Gartner.
As organizations move into cloud-scale applications to meet their competitive challenges, the use of open-source components brings along security vulnerabilities and challenges, such as obsolescence, licensing issues, and policy compliance issues.
Since cloud offerings became commoditized with a generic approach, there will be a shift to industry-specific clouds with a special focus on highly regulated industries, such as banks. For cloud buyers, the differentiator will no longer be the capability, but compliance with specific vertical needs for secure development.
Courtesy- https://www.thirdpartytrust.com/blog/vendor-risk-management-trends-2022/