Remediation Over Ratings – Achieving Third-Party Cyber Risk Reduction

By Leigh Glasper, Director, Cyber Advisory at BlueVoyant

The most effective third-party risk management (TPRM) programmes prioritise risk remediation alongside risk identification. While security ratings services (SRS) have long focused on risk identification, the burden of curation and remediation has traditionally fallen on the customer.  

In the past, default solutions to the challenge of reducing third-party cyber risk have focused on SRS, providing cyber risk assessments of third parties by utilising multiple data streams to provide a rating or score to organisations that illustrates the cyber security posture within their third-party ecosystem. 

In theory, this enables the prime organisation to prioritise risk mitigation and governance in specific vendors. However, it does not provide any direct support to address false positives or aid vendors’ remediation challenges. 

While SRS have long served to monitor organisations’ cyber security posture, they also have a number of notable limitations that true risk reduction solutions have moved beyond. Modern businesses focussed on third-party cyber risk reduction require both a more comprehensive solution to third-party cyber risk; one that fully manages risk by rapidly identifying and resolving critical cyber security issues in the third-party ecosystem. 

As a result, enterprises need best-in-class security programmes the deliver measurable cyber risk reduction through effective and integrated remediation activities.  

Accuracy is Everything

Effective remediation requires precise, validated data to ensure that both risks and the “footprint,” or attack surface, of a company are accurately identified and evaluated. This ensures that nothing is overlooked and that identified risks present a real threat.  

SRS typically rely on un-verified data sources. Without human analysts to validate risk findings and company footprints, these services often generate many false positives. This leads to information overload and ‘alert fatigue’ as client organisations spend valuable time sifting through inaccurate data.  

Organisations often receive a low security rating due to perceived vulnerabilities that, upon investigation, are found to not even be within their attack surface. This diverts attention and resources away from real threats and strains relationships with third-party vendors, who may be unfairly flagged.  

Context Matters

Understanding the context of a vulnerability is also crucial for effective remediation. A vulnerability that poses a significant risk in one environment may be less critical in another, which is why every organisation has its own unique risk tolerance based on business need and operational criticality.  

SRS apply a generic assessment model across all vendors. This one-size-fits-all approach fails to account for the specific business processes and critical importance of certain vendors within a supply chain. A financial institution, for example, has vastly different third-party criticality needs compared to a healthcare provider. 

Effective and appropriate risk reduction requires tailored assessments that consider the unique context and criticality of each vendor within the third-party ecosystem.  

Guided Mitigation

The most significant drawback of SRS solutions is the lack of actionable guidance they provide for mitigation once a risk is identified. SRS load customers with risk findings but leave the task of acting on that information to the customer. This includes validating escalated risks, prioritising findings, and developing action plans — while also ensuring effective communication and collaboration with third parties.  

This all adds further stress to the customer’s workload and creates friction with third-party vendors, especially when false positives are involved. The strain on business relationships can be particularly intense if a risk turns out to be unfounded.  

Consider the impact on a vendor that is told to remediate a cyber risk but is not provided the telemetry or accuracy of data to quickly and efficiently identify the asset and mitigate the risk through targeted remediation activity. Not all vendors will act to mitigate a risk, even one as simple as an open port, unless they receive specific instructions on how to address and resolve the issue.  

Modern Solutions Focus on Remediation

To move beyond the limitations of traditional security ratings services, businesses need robust TPRM programmes, which can be supported by modern solutions that prioritise data validity, offers proportionate and prioritised remediation assistance, and measurably reduces risk across the entire third-party ecosystem. 

Leading TPRM solutions should actively assist in guided remediation by communicating directly with vendors, ensuring that vulnerabilities are promptly addressed, reducing the exploitable window to potential threats actors.  

By providing clear, actionable guidance, TPRM providers can help organisations prioritise and address vulnerabilities effectively, ensuring that resources are focused on genuine risks. 

Accurate Monitoring and Real-Time Updates

A comprehensive third-party cyber risk monitoring program should also feature continuous monitoring and real-time updates, ensuring that zero-day vulnerabilities and emerging threats are quickly identified and managed.  

This proactive approach significantly reduces the lag time associated with traditional SRS, providing greater defence and resilience against evolving cyber threats, driving measurable risk reduction and minimising the risk of exploitation.  

Tailored Risk Thresholds

Good remediation needs effective prioritisation, which should consider each organisation’s unique operational needs and risk tolerance. A robust third-party cyber risk offering enables organisations to create tailored risk thresholds that consider the specific business processes and critical importance of each vendor within the supply chain.  

By considering the context and criticality of each vendor, external security teams can provide increasingly actionable insights, helping internal teams to save time and more effectively deploy resources.  

SRS-only model no longer fit for purpose

The third-party cyber risk management landscape is shifting to focus on remediation and actual risk reduction, moving beyond mere risk identification and ratings. By focusing on actionable insights and tailored remediation efforts, modern solutions make it easier for organisations to measurably reduce their supply chain risks and secure their partner ecosystems.