Fewer organizations are affected by supply-chain security incidents as they take a more proactive approach to third-party risk management (TPRM), according to BlueVoyant.
MSSPs can play an important role in helping customers expand their understanding of TPRM, and can assist with closing gaps in visibility, expertise, and response capabilities. As supply chains grow more complex and interdependent, MSSPs bring value to third-party relationships through continuous oversight and assessment.
In its fifth annual report about supply chain cybersecurity risk management, the cloud-native security platform vendor found that 81% of 2,100 executives surveyed said their businesses were negatively impacted by supply chain breaches over the previous 12 months. That number is still high, but represents a decline from the 94% who said the same thing last year.
At the same time, most organizations are increasing budgets for TPRM, and more than a third are more active in engaging with third-party suppliers throughout the cyber-risk remediation process. MSSPs who offer such services will find a potential customer base that is more ready to move past simply being aware of third-party risks and adopting a TPRM program to managing such a program.
“Organizations this year noted a shift from monitoring to actively reducing risk with vendors,” wrote the authors of BlueVoyant’s The State of Supply Chain Defense: Annual Global Insights Report 2024. “More companies are engaging directly with vendors to manage SLAs, contracts, and penalties for ignoring poor security hygiene, with the main challenge being how to enforce consequences.”
It’s an evolution, with organizations better understanding third-party risk now than five years ago, monitoring more vendors, and including more details in security reports to senior leadership, they wrote, adding that “as such, more mature TPRM programs are looking for ways to automate and operationalize the reduction of risk for their vendors and to integrate detection and response of incidents with the rest of their organizations’ security apparatus.”
TPRM Comes into Focus
TPRM enables organizations to better identify, analyze, and reduce the risks associated with third parties, and business is booming. According to analysts with Future Market Insights, the global market will grow from more than $7.2 billion this year to $24.3 billion by 2034.
It’s been on the federal government’s radar for several years, with the U.S. Cybersecurity and Infrastructure Security Agency (CISA) releasing a report in 2017 that said that increased globalization is forcing a “renewed focus on supply chain risk management (SCRM) in the context of national security, its importance to the prosperity of the larger U.S. economy, and its entwined cyber threats.” More recently, protecting the supply chain against cybercriminals and nation-state adversaries has been a key component of the Biden Administration’s broad cybersecurity efforts.
The findings in BlueVoyant’s show positive trends, according to the New York City-based company. In 2023, 19% of companies said they were engaging with third-party partners through the entire cyber-risk mitigation process. That number jumped to 36% in this year’s survey. In addition, 86% of respondents said their TPRM budgets have increased.
“Organizations now report recognizing the risks posed by their third-party ecosystems and are shifting focus to proactively assisting partners in remediating those risks,” the authors wrote, adding that “this heightened awareness stems from a growing recognition of the crucial role third-party vendors play in an organization’s overall cybersecurity posture.”
MSSPs Have a Role to Play
MSSPs can play an important role with this expanded understanding of TPRM, according to Callie Guenther, senior manager of cyber threat research at Critical Start, a Plano, Texas-based provider of managed detection and response (MDR) solutions. That includes closing gaps in visibility, expertise, and response capabilities. Supply chains are growing more complex and interdependent. MSSPs bring value to third-party relationships through continuous oversight and assessment to third-party relationships, Guenther told MSSP Alert.
“In-house TPRM often lacks specialized cybersecurity skills and the resources needed to keep pace with evolving threats,” she said. “MSSPs bridge these gaps by offering a scalable team of cybersecurity professionals, reducing the strain on internal teams while providing the depth of knowledge required to handle complex supply chain threats. MSSPs also enable organizations to leverage tailored threat intelligence focused on vendor and supply chain risks.”
MSSPs that want to take advantage of the interest in TPRM need to prioritize continuous monitoring, threat intelligence integration, and expertise in regulations specific to business sectors, allowing them to address both generation and industry-targeted risks, particularly in those highly regulated spaces.
Not Without Its Challenges
Despite the advances, there continue to be challenges in TPRM, according to BlueVoyant. Those include meeting regulatory requirements, enforcing service-level agreements (SLAs), and deciding on penalties for non-compliance or failures. They’re made more difficult by trying to effectively communicate and coordinate with a broad network of suppliers.
Another is ensuring regular reporting to executives and board members, the authors wrote. While more organizations say they’re collaborating with third parties on risk remediation, only 19% are regularly reporting up the chain, a drop from 44% in 2023. That needs to change to ensure companies can more proactively address potential breaches, they wrote.
BlueVoyant recommended organizations monitor all third-party vendors, increase their reporting across organization functions and to senior management, apply the same amount of cyber-risk management controls and processes to each level of vendor, and collaborate more with third parties to remediate risks.
