According to IBM’s Cost of a Data Breach 2023, two out of every three data breaches originated from an organization’s third party – or as a direct result of attackers. But when attackers reported the breach, it cost organizations $1 million more on average than if they had detected it themselves. One of the industries targeted the most in recent years by attackers is the healthcare industry, which has experienced a 53% rise in costs in data breaches since 2020. The average cost of a data breach in the healthcare industry stands at $10.93 million. One of the best defense mechanisms for organizations to protect themselves against and minimize the damage from data breaches is through a proper IT risk management program. 

A few of the breaches that highlight the need to pay special attention to IT providers were:

  • A major photography and image-sharing company data breach of confidential medical and personal information of their customers by their third-party file transfer software.
  • A leading telecommunications company data breach of personal information and employee credentials by an IT company.
  • An airport had pay and benefit details of its employees compromised through their professional service and management consulting provider.
  • A healthcare association had patient data and sensitive data breached through their debt collection agency.

These breaches illustrate that your organization is susceptible to a security breach even if the attack originates externally to your system. And if a breach does occur, you can be just as liable for the consequences as if the breach did occur on your system.

What is IT Risk Management (VRM)?

IT risk management is the process of managing risk in your IT environment, whether from human error or natural disasters. With the global cost of a data breach today reaching $4.5 million, applying IT risk management practices is essential for organizations that need to identify potential threats and proactively defend against security incidents.

Think about all of your organization’s third-party vendor relationships. Of course, you have physical vendors that handle mail, deliver supplies, clean your offices and provide maintenance, etc. These vendors have some access to your organization’s private information and you need to take the necessary steps to protect your information from falling into the wrong hands. 

You also have a varied list of IT vendors that help you perform on a daily basis. They process email, store records, maintain credential information, provide cloud processing and handle accounts payable and receivable. The list can be extensive. Any of these IT providers has some level of access to your organization’s IT and the information stored there.

A cyberattack occurring against one of your IT vendors immediately puts your organization at risk. Attackers can exfiltrate your data and hold it for ransom. They can attack your clients. Beyond pure financial loss, a successful data breach can expose your organization to GRC (governance, risk and compliance) fines and penalties and result in a serious hit to your reputation.

5 Steps to the Risk Management Process

Proper risk management allows your organization to determine the types of events that might occur, their impact and how your organization would respond to such an event. This paves the road for your organization to reduce risk and maximize its prospects for continued business success.

Organizations who want to put a risk management process in place should follow these steps:

  1. Identify the risk

The first step to IT risk management is to identify the different operational, security, technology, business and even national security risks posed to your data security. With the proliferation of data in the cloud, attack surface monitoring is essential in assisting organizations to continuously monitor software, hardware and data assets for potential vulnerabilities.

  1. Determine the risk levels

Next you’ll need to perform risk analysis to determine the risk level of each vulnerability, taking into account the risk tolerance and risk appetite of your organization. For example, operational risks that would force your consumer-facing business to a halt may be greater than minor technology risks due to unpatched vulnerabilities.

  1. Prioritize risks

After determining the risk levels, you’ll need to classify risks as low, medium and high to communicate the risks that require urgent attention to your risk management team. Regulations such as GDPR and the California Consumer Privacy Act (CCPA) require data breaches to be reported within 72 hours. Organizations often rely on risk management software to prioritize risks across their infrastructure which often integrates into other threat identification tools.

  1. Mitigate risks

Many organizations put various technical, physical and administrative security controls to mitigate risk. IT risk mitigation controls include multi-factor authentication, firewalls and anti-virus software, data encryption, ensuring software is updating continuously, having a patch management program and implementing privileged access management.

  1. Monitor third-party risks

Suppliers go out of business and companies replace their vendors. Managing risk as your supply chain evolves means staying up-to-date with these changes and alerting your security team to potential risks from threat actors.

The Most Common Risk Mitigation Strategies

In addition to various technical, administrative and physical controls, additional security practices to manage risk include:

  • Risk avoidance. Simply avoiding taking the risk. Examples include not opening a new product line or no longer collecting additional personal or customer data that is not vital to the business.
  • Risk transfer. Transferring risk to a third party. For example, cyber insurance allows organizations to transfer risk of a data breach to an insurance provider.
  • Risk modification. The physical, technical and administrative controls security teams put in place help reduce the impact of security incidents.
  • Risk acceptance. Acknowledging the residual riskthat remains despite all attempts taken to eliminate or reduce risk.

What are the Different Risk Management Frameworks?

Since cybersecurity and risk is a constantly evolving landscape, it is essential that the risk management framework your organization chooses allows for a risk management plan that is robust to successfully identify, manage and mitigate different cyber risks.

The most widely-used frameworks include:

  • COBIT (Control Objectives for Information and Related Technology). An IT and governance framework that assists senior executives in the organization develop an Enterprise Risk Management (ERM) strategy.
  • Essential Eight. This is the risk management framework used by Australian organizations.
  • COSO (Committee of Sponsoring Organizations of the Treadway Commission). The goal of this framework is to foster secure network operations across organizations.
  • FAIR (Factor Analysis of Information Risk). This is an internationally recognized framework that quantifies cyber risk. It states that risk can only be determined if the asset, threat, effect and impact of the threat can be measured.

Managing IT Vendor Risk

It is crucial for organizations to approach security as a two-pronged effort. You have to secure your own resources against attacks. And you also have to reduce the chance of an attack originating from one of your vendors. Every IT third party is a potential entry point into your systems and premises and each one is a potential security risk. CBI Insight reported that 44% of data breaches are caused by a third party. To help mitigate the potential for a breach caused by an IT third party, you need to establish a strong IT Vendor Security Risk Management program. 

Why is Risk Management Important?

A detailed IT risk management program is essential for any organization looking to minimize risk, especially as organizations continually acquire, switch and replace current technology, services and infrastructure. Risk managers must conduct continuous risk assessments and implement a risk mitigation plan to detect and identify new risks inherent in these tools and technologies. Organizations also need to consider the additional possibility of risks from natural disasters, fires or floods or the sudden interruption of service due to a change in suppliers, financial challenges or a cybersecurity attack.

A detailed risk management plan helps organizations:

  • Meet regulatory compliance.
  • Meet business objectives.
  • Minimize the likelihood of legal action against your business.
  • Reduce insurance premiums.
  • Streamline business operations and gain a competitive edge.
  • Mitigate damage to your operations and infrastructure and minimize the potential loss of revenue.

What is Included in an Effective IT Risk Management Program?

An effective VRM program should include these steps:

  1. Prioritization: Categorization and ranking of vendors by risk to the organization.
  2. Assessment: Identification of the inherent risk of each relationship.
  3. Engagement: Reporting and explanation of identified security gaps to the vendor.
  4. Remediation: Addressing security gaps by the vendor.
  5. Approval:  Evaluation and approval of vendor remediation.
  6. Ongoing monitoring: Continuous monitoring of vendor security posture to identify potential future issues.

Every step in this process is important, but prioritization and assessment are crucial to get right as they set a baseline for everything that follows. You want to address vendors most critical to the organization’s IT first. If you don’t do a thorough and proper IT security risk assessment, you will still be leaving your organization open to third-party risk. 

How Do You Do an IT Vendor Security Risk Assessment?

After you have categorized and prioritized IT vendors it’s time to perform your vendor risk assessment. The best vendor risk management software to help determine your vendor’s security posture  – and your attack surface – is the security questionnaire. But you need to be careful when developing your questionnaires. Questionnaires tend to be long and detailed and often include questions that aren’t relevant for that particular vendor. A poorly-planned questionnaire will not give you the information you need and might prove frustrating for the vendor. However, a well-planned questionnaire will be easy for the vendor to complete and will give you sufficient and relevant information to vet the vendor. 

How Panorays Can Help

Panorays offers a 360-degree view of your third parties’ security, combining external attack surface assessments with automated, dynamic security questionnaires to help pinpoint their security gaps and discover ways to close them. It rates vendor risk while also taking into consideration its business context and your risk appetite. In addition, the platform ensures your suppliers meet the latest regulatory compliance standards such as GDPR, CCPA, NYDFS and SIG and your own internal regulations. The cybersecurity posture assesses your vendor’s external attack surface to evaluate their cyber posture, delivering a comprehensive analysis of your vendor’s digital perimeter.

Need assistance with your IT vendor risk management program? Sign up for a free demo today or contact us to learn more.


What is IT risk management?

IT risk management is the process of applying risk management strategies to your IT environment. A proper IT risk management program enables an organization to identify, prioritize and respond to risk according to its risk appetite and risk tolerance. The risk is the exposure of sensitive information such as personal health and PII data, intellectual property and trade secrets.

What is the goal of IT risk management?

The goal of IT risk management is to assess vulnerabilities in the IT infrastructure of an organization to proactively defend against cybersecurity risks. These could include weak passwords, misconfigurations, unpatched vulnerabilities or outdated software. A risk management program also helps to communicate the risk management strategy to senior management and streamline business operations to implement various controls and risk management procedures in order to  anticipate how it would respond to a variety of cyber risks. These risk management policies are intended to minimize business impact in the event of a security incident while ensuring business continuity.

What are the five types of IT risk?

– Physical threats. This might include damage to your physical infrastructure due to natural disasters, fires or floods. Or it could include threats of theft due to vendors who have unauthorized access to your IT infrastructure and computer networks.
– Electronic threats. Malicious malware, phishing attacks and ransomware attacks often originate from emails. Simply clicking on a malicious link can install malicious malware to your IT infrastructure.
– Technology failure. For example, information systems might fail to function or software bugs might render certain systems unavailable.
– Infrastructure failures. Internet connections could be interrupted, disrupting business operations. 
– Human error. These are accidental errors that occur from daily use of technology. For example, a poorly trained employee might accidentally delete important data or share customer data with external parties.

What are the main steps of IT risk management?

The main steps of IT risk management are:
1. Identify the risk. Identify the different operational, security, technology, business and even national security risks posed to your security.
2. Determine the risk levels. Evaluate the risk level of each vulnerability, taking into account the risk tolerance and risk appetite of your organization.
3. Prioritize risks. You’ll need to classify risks as low, medium and high to communicate to your risk management team the risks that require urgent attention.
4. Mitigate risks. Determine which technical, physical and administrative security controls to implement to mitigate risk.
5. Monitor third-party risks. Ongoing monitoring ensures you are staying up-to-date with these changes and alerting your security team to potential risks from threat actors.