Linkedin
Facebook
Email
more
AUTHORS
When misalignment becomes a business issue
Australian organisations are increasingly becoming reliant on third-party vendors to deliver critical services across information technology (IT), operational technology (OT), cloud platforms, and managed services. This shift is understandable, as outsourcing enables organisations to scale, access specialist capability, and operate more efficiently.
However, the increased reliance on third parties also introduces an often underestimated risk regarding misalignment between an organisation’s controls and how third parties operate in practice. While many organisations invest heavily in internal policies, procedures, and security controls, those expectations do not always translate effectively into third-party arrangements day to day. The Australian Signals Directorate (ASD) has highlighted third-party risk management as a priority area for boards in 2025–26, emphasising its importance within board oversight and risk governance.
Where misalignment occurs in practice
Through our past experience working within the mining industry, we have observed firsthand how misalignment between client and third-party vendor expectations can lead to real operational disruption.
In some cases, mining machinery remained offline for longer than necessary — not due to equipment failure, but because accountability and contractual responsibilities between the client and service providers were unclear or contested. This lack of clarity delayed decision-making, extended shutdown periods, and increased operational and
financial impact.
We have also observed situations where the organisation operated under a defined IT control framework, while third-party contractors supporting OT environments relied on separate processes and dedicated infrastructure, including standalone networks to enable remote access solutions such as Citrix.
Where these environments were not designed or governed with alignment in mind, it created ambiguity around system ownership, access approvals, and support responsibilities. In practice, this resulted in delayed system restoration, operational inefficiencies, and an increased reliance on informal workarounds.
From operational disruption to cyber risk
From a cyber and operational risk perspective, these scenarios demonstrate how misaligned processes, responsibilities, and technical environments across organisational boundaries can significantly increase the impact of incidents.
In IT and OT situations, misalignment can:
- Slow incident detection, response, and recovery
- Increase the likelihood of control gaps being exploited
- Extend outages and operational disruption
- Increase financial loss and the risk of data exposure
As cyber security consultants, we notice the same pattern across industries. Both clients and third parties often believe appropriate controls are in place, yet those controls break down at organisational boundaries — particularly where ownership, accountability, and operational practices have not been clearly defined, agreed, validated, and implemented in practice.
Common cybersecurity issues in third-party IT and OT arrangements
Across industries, a consistent set of cybersecurity issues can be observed in third-party IT and OT environments. While these issues may involve individual control gaps, they also commonly arise where there is misalignment between organisations and their service providers.
Common issues include:
- Unclear ownership and accountability for security controls
- Inconsistent IT and OT security frameworks
- Over-privileged or persistent third-party access
- Limited visibility over third-party control effectiveness
- Misalignment in incident response and recovery responsibilities
- Understanding these issues is a critical first step in managing third-party cyber risk effectively.
What good third-party risk management looks like
Addressing third-party cyber risk requires more than standalone technical controls. Effective management focuses on:
- Clear ownership and accountability across organisational boundaries
- Alignment between organisational policies and third-party practices
- Assurance that controls operate as intended in practice
- Ongoing visibility over critical third-party relationships
As regulatory expectations increase and environments become more interconnected, organisations need stronger assurance that third-party risks are genuinely understood and managed.
How RSM security & privacy can help
Managing third-party cyber risk across IT and OT environments requires more than standalone technical controls. It requires clear governance, aligned responsibilities, and assurance that security controls operate effectively across organisational boundaries.
RSM security & privacy supports organisations in identifying, assessing, and managing third-party cyber risk in a practical and proportionate way, aligned with operational realities and regulatory expectations.
RSM can assist through the following services:
| Third-party cyber risk assessments |
|
| Third-party risk management framework design and review |
|
| IT and OT access and architecture reviews |
|
| Contractual and due diligence support |
|
| Ongoing assurance and operational support |
|
What will you do?
Third-party providers may play a critical role in enabling organisations to operate effectively across IT and OT environments. While these relationships deliver clear commercial and operational value, they can also introduce significant risk if roles, responsibilities, and controls are not clearly defined and consistently applied.
By focusing on alignment — not just policy — organisations can reduce disruption, improve resilience, and strengthen confidence in how third-party cyber risks are managed in practice.
