Press Release: Experts Cite Security Gaps in Current Third-Party Risk Management Practices

Press Release: Experts Cite Security Gaps in Current Third-Party Risk Management Practices

May 20, 2014 | News

Computer Security Incident Handling

Contact: Lisa MacKenzie, MacKenzie Marketing Group, 503-705-3508, or Kelly Stremel,

Experts Cite Security Gaps in Current Third-Party Risk Management Practices

Vendors and Service Providers are Top Targets for Data Breach Attacks;
Experts Suggest Best Practices to Move from Risk Management to Risk Assurance

Santa Fe, NM — May 20, 2014 — Sophisticated networks of criminals are penetrating databases in new complex methods, putting systems that maintain high-value data such as personal identifiable information or operational and systems data at high risk for breach. Third-party service providers that warehouse terabytes of high-value data have become the latest target, the weakest link in risk management strategy. In fact, the latest benchmarking study—2014 Vendor Risk Management Benchmark Study—by Shared Assessments and global consulting firm Protiviti, reveals serious vulnerabilities and security risks to organizations that emerge from outsourcing and partnering with third-party vendors. The study examines the maturity of organizations’ current vendor risk management programs and finds significant risk gaps between companies and their vendors. To download a complimentary copy of the report, please visit

How can organizations and companies manage data security risks when they lie outside of their control? As evidenced by the study, the vendor management landscape needs to move from risk management to risk assurance, a core topic at this weeks Shared Assessments Summit 2014.

Managing Third-Party Risks and Prevention Strategies
Shared Assessments asked top industry experts to comment on risk management trends, best practices, and prevention strategies to manage the risks associated with third-party service providers: Shared Assessments provides risk management Tools including the Vendor Risk Management Maturity Model (VRMMM), a tool organizations use to measure the quality and maturity of their existing risk management programs.

“The best way to prevent a data breach is to have a robust program to assess how your vendors are managing data risks. That’s the only control you have.”
-Catherine A. Allen, chairman and CEO, The Santa Fe Group.

“The combination of data breach occurrences, managing third-party risks, and regulatory scrutiny are increasing organizations’ liability and responsibility. With data breach cybersecurity looming and so much at stake, the onus is on organizations—especially in healthcare, retail, and financial industries—to get their third-party risk programs in shape.”
-Jonathan E. Dambrot, Shared Assessments Program vice-chair and managing director, Prevalent Networks

“Vendors and service providers have an ‘EZ-Pass’ into companies’ network environments and are often granted access to the most sensitive data. When outsourcing or partnering, companies need to exercise vendor due diligence the same way they would safeguard critical assets and sensitive data in their own possession. Companies can outsource the function but cannot outsource the risk.”
-Rocco Grillo, managing director and global leader for incident response and forensic investigations, Protiviti

“Continually assessing vendor program and related controls is one of the best ways to reduce uncertainty around managing third-party risks.”
-Mark Holladay, chief risk officer, Synovus Financial Corporation

“The best risk management program within an organization means nothing if compliance is outsourced along with production. Risk management must extend to organizations’ vendors to drive a full-fledged governance program.”
-Kenneth P. Mortensen, Esq., attorney and counselor at law; privacy, cybersecurity, and governance counselor

“As a service provider to financial institutions, we find that it’s no longer adequate to have a static strategy for managing risks. The threat landscape changes so quickly, requiring a dynamic approach to managing risk along the entire value chain of all third-parties that can be a weak link.”
-Paul B. Poh, vice president, technology investment services, FISERV, Inc.

“Companies need to do more than simply ‘duck and cover’ in this age of cyberwar. Company-wide systems, training, and doctrine are crucial for many current and evolving cyber-threats, but will not be sufficient for threats emanating from a State or state-sponsored actor. As threats are becoming more global, companies need accurate and timely information to think and act proactively, giving them the ammunition to organize and push for the right changes to be made in U.S. policy.”
-Dr. Samantha Ravich, executive, senior advisor, The Chertoff Group

“Assessing and managing vendor risk is not a “once and done” effort, but an ongoing process for third-party risk at each phase of the lifecycle of the third-party relationship, from on-boarding to ongoing monitoring, to exit strategies. Mature programs should adopt a federated approach that brings together all of the parts of an organization that play a role in third-party risk management, to drive a holistic approach to vendor risk assurance.”
– Linnea Solem, Shared Assessment Program Chair, and chief privacy officer vice president risk and compliance at Deluxe Corporation

“The regulators have made it clear that from an ownership perspective there’s virtually no distinction between first- and third-party data risk. In that environment, market and supplier vigilance is no longer a luxury—it’s a necessity.”
-Atul Vashistha, founder and CEO, Neo Group

About the Shared Assessments Program
The Shared Assessments Program is the trusted source in third-party risk management, with resources to effectively manage the critical components of the vendor risk management lifecycle; creating efficiencies and lowering costs for all participants; kept current with regulations, industry standards and guidelines, and the current threat environment; adopted globally across a broad range of industries both by service providers and their customers. Through membership and use of the Shared Assessments Program Tools (the Agreed Upon Procedures, Standard Information Gathering questionnaire and Vendor Risk Management Maturity Model), Shared Assessments offers companies and their service providers a faster, more efficient and less costly means of conducting rigorous assessments of controls for IT and data security, privacy and business continuity. The Shared Assessments Program is managed by The Santa Fe Group (, a strategic consulting company based in Santa Fe, New Mexico.

Sign up for our Newsletter

Learn about upcoming events, special offers from our partners and more.

Sub Topics