Despite increased investments in third-party cybersecurity risk management over the past two years, 45% of organisations experienced third party-related business interruptions, according to a new survey by Gartner.

The survey was conducted in July and August 2023 among 376 senior executives involved in third-party cybersecurity risk management across organisations from different industries, geographies and sizes.

Zachary Smith, senior principal of research at Gartner, said: “Third-party cybersecurity risk management is often resource-intensive, overly process-oriented and has little to show for in terms of results. Cybersecurity teams struggle to build resilience against third party-related disruptions and to influence third party-related business decisions.”

Gartner suggests four key actions that security and risk management leaders should take to increase their effectiveness in managing third-party cybersecurity risk. These include: regularly reviewing how effective third-party risks are communicated to the business owner; tracking third-party contract decisions to manage risk acceptance; conducting third-party incident response planning to prepare and recover well in the event of an incident; and work with critical third parties to mature their security risk management practices as necessary.

---