The CISO’s Perspective: Third-Party Risk Management

Community Blog
Written by Collin Lingo

MAY 12, 2022

Where are we headed? What’s next? Often, these questions go without singular, acute or focused answers. But now, with the Leadership Perspective Survey-gathered input and wisdom of nearly 1,000 Chief Information Security Officers from organizations across the globe, top goals and priorities take shape. Not least among them, Third-Party Risk Management.

Frequently placed in the top ten priorities for CISOs, Third-Party Risk Management (TPRM) is a necessary but broad concept; often used to describe any and all of an organization’s efforts to defend itself from the possible breach of a business partner’s network.

Today, TPRM ranks in the top two priorities for CISOs overall, coming second only to Cloud Security. 

Most executives (85%) see third-party defense practices as an all-but-required risk mitigation measure. Meanwhile, nearly half of the executives surveyed (47%) hope to see it improve the efficiency of business operations.

But it isn’t always easy keeping up with the innumerable vulnerabilities of partner organizations. One third of CISOs surveyed call the “quickly changing landscape” their paramount TPRM hurdle. Most CISOs (47%), however, say their primary issue is a “lack of resources.”

“Should we do surveys,” one CISO asked, searching for a starting point. “If we are supposed to do surveys, is there a tool for that? Or, are we going to start having a security attestation for third parties and vendors?”

For now, these solutions remain hypothetical for many. But the need to manage and account for the security of our organizations' third-parties is real. In fact, it’s so real that, in 2022, CISOs are planning to invest heavily fighting the results of poorly-managed third-party relationships.

According to research, CISOs placed “vendor risk management” 6th on a list of top spend areas for 2022 (outranked by Cloud Security; Data Loss Prevention; IAM/Multi-Factor Authentication; Governance, Risk & Compliance; and Application Security).

Below, you’ll find a breakdown of how Evanta CISO communities have ranked this investment priority and the timeline for when they plan to invest.

Third Party Risk Management will be a topic on the agenda at the below CISO Executive Summits this spring: 

Dallas CISO Executive Summit on May 17th

Chicago CISO Executive Summit on May 24th

St. Louis CISO Executive Summit on June 14th

There are always opportunities to discuss risk management with your CISO peers. See the upcoming gatherings across Evanta CISO communities here.

Collin Lingo headshot

Collin Lingo

Content Manager at Evanta, a Gartner Company


by CISOs, for CISOs

Join the conversation with peers in your local CISO community.