Across industries, organizations are becoming more interconnectedand more reliant on vendors to move quickly and stay competitive. It’s no surprise that for the past several years, the topic of third-party risk management continues to dominate submissions to RSACTM Conference. The number of third-party relationships continues to grow, and with that growth comes expanded exposure.
In the latest episode of Cyber at the Top, I sat down with T.J. Patterson, VP and Information Security Officer at STAR Financial Bank to discuss challenges and strategies for managing third-party risk. I can’t even imagine the number of third parties T.J. works with on a regular basis. And the risks at stake are massive in a heavily regulated industry like financial services. We discussed the new reality that many security leaders are dealing with, as ecosystems expand and dependencies deepen, and what they can do to mitigate third-party risk.
Third Parties are an Extension of Your Business
Your customers don’t know your third parties. They know you. If customer data is exposed through a vendor, or if a critical system goes down because of a supplier, the impact on trust is the same as if the breach happened within your own organization. “Our bank’s customers don’t care if information is taken from us or a vendor,” T.J. explained. “They just know the relationship they have is with us. We have to ensure that the controls and risk being managed by our third parties are aligned with our own maturation.”As a CISO, it’s your responsibility to ensure that controls are appropriately assessed and managed. And if your organization is subject to certain regulatory requirements, your partners must be aligned to those expectations.
Unique Challenges of Third-Party Security Incidents
From an impact perspective, a third-party breach can look very similar to a direct attack. However, T.J described one of the unique challenges with a third party as the lack of visibility. “There’s not much we can do to dig into that data. We can’t bring in a forensic team.” When a vendor experiences an incident, you are dependent on their incident response capabilities as well as their communication practices and transparency. A lack of visibility can create both operational and reputational risk for your organization.
Identify and Classifying Third-Party Risk
For organizations managing hundreds or even thousands of vendors, prioritization is key. Cybersecurity leaders should start with two questions:
1. What type of data is this vendor storing or managing? Is it sensitive customer data? Regulated data? Intellectual property?
2. How critical are they to operations? If this vendor were disrupted, would there be downstream effects for customers? For example, if a bank’s online banking system goes down, it would be a direct hit to customer trust.
Whichever system of identification and classification you choose, T.J. highlighted that, “Consistency is key. Once you have a method, make sure you’re consistent with that method. "Classification should also factor in resiliency and concentration risk. If many of your vendors rely on the same cloud provider or data center geography, you may be introducing systemic risk into your ecosystem. These ripple effects can surprise even mature organizations.
Continuous Monitoring After the Initial Assessment
T.J. recommends conducting formal reviews annually or every other year, depending on how critical the third party is to your operations. He also noted that if a partner declines to conduct annual review, that can be a signal to pause and reassess alignment.
Technology and tools can help provide ongoing monitoring and external risk ratings. Even simple steps, like enabling Google Alerts for key vendors, can provide early warning when incidents hit the mainstream media. But as we discussed in the interview, tools and technology are not infallible. Ratings data can be misleading, and attestations can sometimes lack depth. T.J. explained that there is a balance between leveraging automation and applying informed judgement.
One of the most effective strategies T.J. leverages is building strong relationships with the internal owners of those third-party relationships. When relationship owners know the importance of early reporting and feel comfortable escalating concerns, your monitoring becomes more resilient.
When Vendors Push Back
In my experience, sometimes a vendor is critical to the business but is resistant to security requirements. I asked T.J. about it, and he responded, “Part of our responsibility is to effectively communicate risk. ”The CISO’s job is not necessarily to make the final decision on a vendor in isolation. It’s to present clear, well-documented risk information to the appropriate governing body, whether that’s an executive committee or the board. The focus should be on determining whether their security maturity is aligned with your organization’s risk tolerance.
When engaging executives and boards, T.J. recommends framing third-party risk in terms of three dimensions: financial impact, legal exposure, and time. Speaking the language of business ensures the conversation stays strategic rather than overly technical. This approach strengthens credibility and builds trust with business leaders, making it easier to address future security challenges.
Basic Steps to Get Started
T.J. ended the interview with a few basic recommendations for cyber leaders dealing with how to manage increased third-party risk:
1. Leverage an existing cybersecurity framework
2. Identify the core 10-15 controls you expect to see
3. Apply them consistently and refine them over time
To hear our full conversationand dive deeper into what’s next, including fourth-party risk and AI,watch the video here.