Third-Party Improvement
How We Can Help
Following a Capability Assessment, our security consultant will document the findings in a report that clearly scores each area in scope, and will recommend appropriate next steps to improve your security.
Third-party improvements can take many forms:
-
Spot fixes, such as upgrading policy and standards documents.
-
Significant, multi-layered changes, like developing an assurance function.
-
Building new teams to run foundational processes, such as supplier profiling.
The key is: be proportionate. We can help you put this into practice and protect your organisaton, based on your appetite for risk.
Report Extract
What’s Right for You?
Reducing third-party security risk is often a challenge of scale and complexity, but we can support your improvement decision making. There are four key considerations:
1. Risk Alignment
Understand what your suppliers do and the threats they pose before committing to action. Criteria include:
-
Customer numbers involved in a service, the nature of data sharing, and overall volumes.
-
Access to your network and systems.
-
Analysis and modelling against a set of defined risk thresholds to enable supplier tiering – e.g. low, medium, high risk.
2. Socialisation
Suppliers may be used by multiple areas of your organisation. Many opinions will inform the threats posed and corresponding criticality. This includes engagement with the suppliers themselves, who may not be enthusiastic about your improvement plans!
3. Running the Process
Many third-party processes are carried out every day and can involve teams of people. Success factors include:
-
Engagement with both internal stakeholders and suppliers – vital for processes to run smoothly.
-
Management information – this needs to be in place to enable effective oversight.
-
Strong supervision – only this can provide the ‘glue’ to operate an effective, risk-based service.
4. Budget
-
With a clear view on risks and corresponding actions, you can estimate the likely cost of change and run activities.
-
This cost view can in turn be used to demonstrate your plan for delivering risk reduction – a business case for improvement.
Helping You Deliver
With an improvement plan defined, you may need some support to deliver the changes required.
Our blend of consultancy expertise and large resource network of trusted security practitioners allows us to help clients deliver change across the wide scope of third-party security.
From updating policies and standards, to developing a supplier assurance function, or even just providing ad hoc technical advice, we will work closely with you to ensure your plans succeed.
