{"id":3611,"date":"2025-06-19T10:00:00","date_gmt":"2025-06-19T10:00:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=3611"},"modified":"2025-06-19T10:00:00","modified_gmt":"2025-06-19T10:00:00","slug":"third-party-risk-management-is-broken-but-not-beyond-repair","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=3611","title":{"rendered":"Third-party risk management is broken \u2014 but not beyond repair"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Robust cybersecurity frameworks are critically important, and third-party risk management (TPRM) was once a central component of these defense strategies. Based on how it\u2019s practiced today, that time has passed.<\/p>\n

Originally conceived as a proactive measure to safeguard sensitive data and strengthen digital infrastructures against external risks, TPRM<\/a> has devolved into a checkbox exercise that values form over substance.<\/p>\n

This transformation from meaningful evaluation to superficial compliance isn\u2019t just a failure of purpose; it\u2019s an invitation to cyber threats. But let\u2019s be clear: This is a mess we all helped create.<\/p>\n

[ See also: \u201cThird-party risk management can learn a lot from the musk ox<\/a>\u201d ]<\/strong><\/p>\n

The security industry, in trying to align with business expectations, deferred too often to audit-driven frameworks. Auditors, in turn, prioritized documentation and repeatability over real-world security outcomes. The result? We hollowed out TPRM\u2019s original purpose and built an entire industry on the illusion of security.<\/p>\n

Checkbox culture: Symptom of a larger cybersecurity issue<\/h2>\n

This \u201ccheckbox mentality\u201d has become a self-imposed burden within TPRM and a symptom of a larger problem in cybersecurity risk management<\/a>.<\/p>\n

TPRM and security questionnaires were originally developed to ensure thorough vetting of third-party relationships and genuine risk mitigation. But these tools have expanded into complex, redundant, and sometimes nonsensical documents that are more about optics than protection. Rather than adding value, they often serve as bureaucratic gestures toward compliance, adding little insight into real risks.<\/p>\n

The irony is that this auditing process has led to a false sense of security. Companies believe that by completing these checklists, they\u2019ve covered their bases when in reality they\u2019re still exposed to risks these processes were designed to mitigate. This isn\u2019t just ironic; it\u2019s reckless, and we allowed it to happen.<\/p>\n

The consequences of this checkbox culture extend beyond ineffective risk management and have led to \u201cquestionnaire fatigue\u201d among vendors. In many cases, security questionnaires are delivered as one-size-fits-all templates, an approach that floods recipients with static, repetitive questions, many of which aren\u2019t relevant to their specific role or risk posture.<\/p>\n

Without tailoring or context, these reviews become procedural exercises rather than meaningful evaluations. The result is surface-level engagement, where companies appear to conduct due diligence but in fact miss critical insights. Risk profiles end up looking complete on paper while failing to capture the real-world complexity of the threats they\u2019re meant to address.<\/p>\n

Getting to the root of the problem<\/h2>\n

The surge of TPRM tools has automated much of what was once a manual, resource-intensive process. These platforms were developed to simplify the creation, distribution, and completion of security questionnaires, addressing the operational burden organizations often face when conducting third-party risk audits. While they\u2019ve brought much-needed efficiency, they\u2019ve also unintentionally reinforced a checkbox approach to third-party risk, with many assessments falling short in delivering meaningful insight.<\/p>\n

And here\u2019s the kicker: None of the core regulatory frameworks \u2014 ISO 27001, PCI, NIST CSF, NIST 800-53, or SOC 2 \u2014 require a security questionnaire process at all.<\/p>\n

As Jadee Hanson<\/a>, CISO at Vanta<\/a>, puts it: \u201cWe received guidance that emphasized compliance over security, and we collectively adopted it without much scrutiny.\u201d In other words, we took loosely defined expectations around oversight and invented the most inefficient, bloated processes imaginable; not because we had to, but because we didn\u2019t know what else to do. In chasing auditability, we lost the plot. Today, TPRM has become a business model that thrives on process over outcomes and optics over effectiveness. It prioritizes fear of penalty over pursuit of real security.<\/p>\n

The checkbox mentality ultimately reveals another deep-rooted problem: whether the individuals managing TPRM are actually equipped to assess the risks they\u2019re tasked with evaluating.<\/p>\n

Governance, risk, and compliance (GRC)<\/a> professionals are typically at the helm of TPRM, balancing regulatory demands with cybersecurity goals. But reliance on checkbox compliance raises serious questions about whether these gatekeepers have the necessary specialized training and expertise to truly understand evolving threats and vulnerabilities. This isn\u2019t about their dedication, to be sure. It\u2019s an indictment of a system that values compliance over genuine risk insight. We\u2019ve built a structure that assigns critical cybersecurity responsibilities to individuals who may lack the necessary depth of understanding to assess threats fully.<\/p>\n

How to fix third-party risk management<\/h2>\n

To break away from this harmful cycle, organizations must overhaul their approach to TPRM from the ground up by adopting a truly risk-based approach that moves beyond simple compliance.<\/p>\n

This requires developing targeted, substantive security questionnaires that prioritize depth over breadth and get to the heart of a vendor\u2019s security practices. Rather than sending out blanket questionnaires, organizations should create assessments that are specific, relevant, and probing, asking questions that genuinely reveal the strengths and weaknesses of a vendor\u2019s cybersecurity posture. This emphasis on quality over quantity in assessments allows organizations to move away from treating TPRM as a paperwork exercise and back toward its original intent: effective risk management.<\/p>\n

Beyond improving questionnaires, organizations must cultivate a culture of transparency and collaboration with their vendors. TPRM works best when it\u2019s a two-way street where vendors are seen as partners in achieving mutual security goals. A collaborative approach encourages honest, accurate responses instead of rushed, superficial checklist completion.<\/p>\n

One way to support this transparency is by encouraging vendors to maintain up-to-date Trust Centers, which can provide meaningful, easily accessible data about their security posture. When vendors are treated as active participants in an organization\u2019s cybersecurity posture, they\u2019re more likely to engage in meaningful ways. This culture shift, from seeing vendors as mere service providers to strategic partners, has the potential to transform TPRM from a check-the-box activity into a proactive and effective part of cybersecurity.<\/p>\n

Rethinking TPRM means redefining the role of GRC professionals; not as compliance enforcers, but as cybersecurity-informed risk partners. This shift isn\u2019t just about upskilling internally, it\u2019s about creating shared clarity between parties. As Vanta\u2019s Hanson puts it, \u201cTo make this more of a value-added exercise, we should be including signed-off agreements on standard controls and facilitating the exchange of user control considerations \u2026 and making sure those are well understood by the buyer.\u201d<\/p>\n

That last part is key. Real TPRM isn\u2019t just assessing a vendor\u2019s security; it\u2019s ensuring the buyer knows their responsibilities, too. When both sides understand what they own, the relationship moves from compliance theater to true joint defense.<\/p>\n

The checkbox mentality that has taken over TPRM is a problem we created, but it\u2019s also one we have the power to fix. By adopting a more thoughtful, strategic approach to TPRM, organizations can move past the compliance-driven processes that dominate today\u2019s practices. Leaders need to recognize that the current approach is failing us, leaving us open to risks that surface-level compliance was never designed to manage. By challenging the status quo and investing in comprehensive, risk-based strategies, organizations can reclaim TPRM as an essential part of their security programs.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Robust cybersecurity frameworks are critically important, and third-party risk management (TPRM) was once a central component of these defense strategies. Based on how it\u2019s practiced today, that time has passed. Originally conceived as a proactive measure to safeguard sensitive data and strengthen digital infrastructures against external risks, TPRM has devolved into a checkbox exercise that […]<\/p>\n","protected":false},"author":0,"featured_media":3612,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-3611","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/3611"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3611"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/3611\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/3612"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3611"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3611"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3611"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}