文章指出第三方供应商在企业运营中至关重要但其带来的网络安全风险日益突出传统年度评估已不足以应对威胁需通过明确的风险容忍度和持续监控来管理第三方安全问题以保护数据和声誉并确保业务韧性。 2025-6-30 13:0:0 Author: www.guidepointsecurity.com(查看原文) 阅读量:18 收藏
Vendors play a critical role in scaling operations and delivering innovation—but their integration must be balanced with a clear understanding of cyber risk exposure. As cyber threats become increasingly sophisticated, it’s no longer sufficient to evaluate third parties annually and hope for the best. Defining clear, enforceable cyber risk tolerance levels for your third parties helps protect your data, reputation, and operations.
By the numbers
In 2025, third-party cyber risk has remained a critical concern for organizations across all sectors due to compromised credentials, poor patching, or weak access controls. The increasing reliance on external vendors and service providers has expanded the digital attack surface, making it imperative to proactively address third-party risk tolerance. These statistics reveal a stark reality: even organizations with robust internal security measures are vulnerable if their third-party partners lack adequate safeguards.
- 48% of data breaches in 2024 were attributed to vulnerabilities in third-party vendor access, particularly in sectors like healthcare. (Source)
- 61% of companies experienced a third-party data breach or cybersecurity incident in the past year, marking a significant 49% increase over the previous year. (Source)
Why Third-Party Cyber Risk Tolerance Is Critical
Organizations must set precise thresholds for what’s acceptable from a cyber hygiene standpoint. That’s where risk tolerance comes in. Clear governance allows teams to effectively communicate expectations to vendors, prioritize oversight, and know when a relationship needs to be paused, escalated, or re-evaluated.
The consequences are real, ranging from data loss to lost revenue, reputational damage, and regulatory scrutiny, and fines. Organizations must implement rigorous vendor assessments and ensure continuous monitoring of third-party security practices to mitigate potential threats, maintain operational resilience, and uphold stakeholder trust.
From Due Diligence to Daily Defense
Cyber risk tolerance for third parties must move beyond check-the-box due diligence. Instead, organizations need:
- Defined risk categories (e.g., data access, control environment, certifications)
- Quantifiable thresholds (e.g., minimum security score, incident history, SLA compliance)
- Enforcement mechanisms (e.g., contractual penalties, auto-escalations, offboarding protocols)
Practical Third-Party Risk Tolerance Statements
Clear, measurable cyber risk tolerance statements turn abstract policy into practical decision-making tools. They are internal risk guardrails that help security teams prioritize threats, avoid confusion, and know when and how to act.
Examples might include:
- “Vendors must maintain a BitSight security rating above 750. A drop below 700 for 30+ days triggers a formal risk review.”
- “Vendors without SOC 2 or ISO 27001 certification must have compensating controls and an annual reassessment on file.”
- “Third-party apps with access to PII must undergo penetration testing annually. Noncompliance results in integration suspension.”
Building a Third-Party Tolerance Framework
- Classify Vendors by Risk Tier
High-impact vendors should have tighter thresholds. Map tolerance levels to vendor tiers (e.g., critical, high, moderate, low). - Set KPIs/KRIs Per Tier
Track metrics like open critical vulnerabilities, average remediation time, security score trends, and compliance violations. - Tie Tolerances to Escalation Paths
Ensure there’s a clear process for reviewing, escalating, or terminating vendors that exceed risk tolerance levels. - Align Legal and Procurement Teams
Contractual language should reflect your tolerance framework and ensure enforceability. - Monitor and Refresh
Integrate third-party monitoring tools to track security posture continuously and adjust tolerances based on emerging risks.
Make Vendor Risk Tolerance the Standard
Risk tolerance is about enabling secure, sustainable partnerships. When third-party tolerance thresholds are well-defined and actively enforced, your business can move faster without losing visibility or control.
Want to improve your third-party cyber risk oversight?
Learn more about Cyber Risk Culture, Appetite and Tolerance. If you want to strike while the iron is hot, talk to GuidePoint Security about building a program that protects your business beyond your walls.
Will Klotz
Senior Security Consultant, Risk,
GuidePoint Security
Will Klotz is a Senior Security Consultant with over a decade of experience building and leading cybersecurity and risk management programs across a range of industries, including banking, fintech, federal, insurance, healthcare, and software. Since entering the security field in 2010, Will has developed and implemented enterprise-wide frameworks for information security, third-party risk, policy exception handling, and AI risk governance.
He has hands-on experience with a wide array of technologies, ranging from firewalls and endpoint detection to SIEMs and email security, and has delivered risk and compliance initiatives across global organizations. Will’s work spans major regulatory and industry frameworks including PCI DSS, HITRUST, GDPR, NIST, ISO, SOC 2, SOX, and FDIC guidelines.
Will holds an MBA and is a Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), and FAIR-certified risk analyst, among other credentials. He is passionate about translating complex security and regulatory challenges into clear, actionable strategies that drive business value.
如有侵权请联系:admin#unsafe.sh