18 OCTOBER 2017 Consulting®
In this way, cybersecurity concerns have el-
evated vendor risk management activities to a
new level while illustrating the extent to which
cybersecurity issues spill into seemingly every
key component of organizational strategy.
Becker confirms that companies are asking
consulting firms to “create a holistic, comprehen-
sive approach encompassing the overall business
strategy with the cybersecurity strategy.” Becker
also notes that consulting firms are increasingly
responding to these needs with offerings that
“help clients develop a comprehensive cyberse-
curity strategy that reduces risk, creates aware-
ness and develops plans for incident response
and business continuity in case of attack.”
Third- and fourth-party risk
As more companies invest in cloud technology, more information assets are stored externally (via hosted solutions). As a result, greater
portions of organizational cybersecurity effectiveness rely on vendors’ security capabilities.
The growing use of digital collaboration also
gives network access to more external partners.
“Enterprises now have an expanding attack surface because of the vast number of third parties
that have some degree of access to their network and/or their data,” says Fuhrman.
These conditions and risks have client
companies asking for more assistance with
adapting their vendor risk management programs to the digital age.
Wheeler recalls a recent discussion with a
The skills shortage is real—
financial services company that centered on
“fourth-party risk.” Some of the company’s larger
vendors use vendors that also manage the com-
pany’s data. “Their concern centered on the small-
er, fourth parties,” Wheeler says. “They wanted
to get better visibility into whether those smaller
vendors are resilient to ransomware and able to
withstand a DDos attack as well as the kinds of
threats we’ve seen in the past 18 months.”
Given the quickly changing nature of cyber
threats, that visibility into third- and
fourth-party security risks has an
increasingly important timing compo-
nent. A few years ago, VRM primarily con-
sisted of manual activities: having vendors fill
out questionnaires or self-assessments, and visit-
ing the sites of a handful of key vendors. “Those
types of assessments are still happening,” says
Deloitte’s Mossburg, “but we’re also seeing more
organizations trying to do some type of real-time
monitoring of their third parties.”
and driving innovation.
Access to cybersecurity skills remains a major challenge for most companies. Most business rely on IT and many organizations are in
the process of digitizing their primary modes of
creating value, Deutscher points out, “but few
of them have the scale or the brand to attract
and retain top cyber security professionals.”
That raises tough questions in terms of which
aspects of cybersecurity companies should seek
to source with full-time employees and which
areas they should source to external partners.
Wheeler also describes talent as a top cybersecurity challenge moving forward. He also
reports that the skills shortage is nudging more
client companies to 1) look at how they can
consolidate the amount of security technologies
and vendors that they’re currently using; and 2)
deploy new methods (e.g., machine learning) to
“ automate and orchestrate” their responses to
security incidents and risks.
Skills shortages, constantly changing risks,
rapid technological change – many of the factors defining the current state of cybersecurity
consulting also ensure that the challenges companies face in securing their digital assets will
sustain for years, if not longer. As companies
increase their spending on cyber-related products and services, they likely will become much
more attuned to the degree to which those investments are securing valuable returns.