Getting to the root of the problem: The surge of TPRM tools has automated much of what was once a manual, resource-intensive process. These platforms were developed to simplify the creation, distribution, and completion of security questionnaires, addressing the operational burden organizations often face when conducting third-party risk audits. While they’ve brought much-needed efficiency, they’ve also unintentionally reinforced a checkbox approach to third-party risk, with many assessments falling short in delivering meaningful insight.And here’s the kicker: None of the core regulatory frameworks, ISO 27001, PCI, NIST CSF, NIST 800-53, or SOC 2, require a security questionnaire process at all.As Jadee Hanson, CISO at Vanta, puts it: “We received guidance that emphasized compliance over security, and we collectively adopted it without much scrutiny.” In other words, we took loosely defined expectations around oversight and invented the most inefficient, bloated processes imaginable; not because we had to, but because we didn’t know what else to do. In chasing auditability, we lost the plot. Today, TPRM has become a business model that thrives on process over outcomes and optics over effectiveness. It prioritizes fear of penalty over pursuit of real security.The checkbox mentality ultimately reveals another deep-rooted problem: whether the individuals managing TPRM are actually equipped to assess the risks they’re tasked with evaluating.Governance, risk, and compliance (GRC) professionals are typically at the helm of TPRM, balancing regulatory demands with cybersecurity goals. But reliance on checkbox compliance raises serious questions about whether these gatekeepers have the necessary specialized training and expertise to truly understand evolving threats and vulnerabilities. This isn’t about their dedication, to be sure. It’s an indictment of a system that values compliance over genuine risk insight. We’ve built a structure that assigns critical cybersecurity responsibilities to individuals who may lack the necessary depth of understanding to assess threats fully.
How to fix third-party risk management: To break away from this harmful cycle, organizations must overhaul their approach to TPRM from the ground up by adopting a truly risk-based approach that moves beyond simple compliance.This requires developing targeted, substantive security questionnaires that prioritize depth over breadth and get to the heart of a vendor’s security practices. Rather than sending out blanket questionnaires, organizations should create assessments that are specific, relevant, and probing, asking questions that genuinely reveal the strengths and weaknesses of a vendor’s cybersecurity posture. This emphasis on quality over quantity in assessments allows organizations to move away from treating TPRM as a paperwork exercise and back toward its original intent: effective risk management.Beyond improving questionnaires, organizations must cultivate a culture of transparency and collaboration with their vendors. TPRM works best when it’s a two-way street where vendors are seen as partners in achieving mutual security goals. A collaborative approach encourages honest, accurate responses instead of rushed, superficial checklist completion.One way to support this transparency is by encouraging vendors to maintain up-to-date Trust Centers, which can provide meaningful, easily accessible data about their security posture. When vendors are treated as active participants in an organization’s cybersecurity posture, they’re more likely to engage in meaningful ways. This culture shift, from seeing vendors as mere service providers to strategic partners, has the potential to transform TPRM from a check-the-box activity into a proactive and effective part of cybersecurity.Rethinking TPRM means redefining the role of GRC professionals; not as compliance enforcers, but as cybersecurity-informed risk partners. This shift isn’t just about upskilling internally, it’s about creating shared clarity between parties. As Vanta’s Hanson puts it, “To make this more of a value-added exercise, we should be including signed-off agreements on standard controls and facilitating the exchange of user control considerations “¦ and making sure those are well understood by the buyer.”That last part is key. Real TPRM isn’t just assessing a vendor’s security; it’s ensuring the buyer knows their responsibilities, too. When both sides understand what they own, the relationship moves from compliance theater to true joint defense.The checkbox mentality that has taken over TPRM is a problem we created, but it’s also one we have the power to fix. By adopting a more thoughtful, strategic approach to TPRM, organizations can move past the compliance-driven processes that dominate today’s practices. Leaders need to recognize that the current approach is failing us, leaving us open to risks that surface-level compliance was never designed to manage. By challenging the status quo and investing in comprehensive, risk-based strategies, organizations can reclaim TPRM as an essential part of their security programs.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4002765/third-party-risk-management-is-broken-but-not-beyond-repair.html
