The Greatest Security Risk Might Be Your TPRM Program Itself

Written By: Bob Maley

In third-party risk management (TPRM), your enemy is usually clear: bad actors, vulnerable vendors, and concentration or cascading risk. However, some threats to your program are less obvious, and sometimes, the greatest third-party security risk is your program itself. 

That’s because your TRPM program is only effective if your processes, technologies, and procedures are sound. For example, if you rely on questionnaires but vendors only partially fill them out because they’re too long, you risk missing important information necessary to safeguard your program. 

The primary goal of TPRM is to mitigate risk within your cyber ecosystem. To do so, however, you need to regularly evaluate your own TPRM program with a critical lens and make adjustments as necessary. Otherwise, your greatest third-party security risk could be gaps in your TRPM program. 

Here are three big questions to ask yourself when evaluating your TPRM program. 

Do My TPRM Processes Allow for Agility?

As vendor ecosystems grow more complex, it becomes harder to predict and manage third-party security risks effectively, requiring more dynamic risk management strategies. However, many third-party risk programs face systemic rigidity. In other words, many TPRM programs are built on strict tools and processes that don’t allow for improvisation when the unexpected occurs. 

For example, an overreliance on standardized assessment tools, such as questionnaires, can create a false sense of security in a dynamic risk environment. What happens if your vendor refuses to fill out your questionnaire? Or decides not to provide any documentation? 

A TPRM program without space for agility (for example, using open-source intelligence to supplement a partially completed questionnaire), can hinder your team from adapting to the rapidly evolving nature of digital threats, leaving organizations vulnerable to new forms of cyber-attacks that were not previously considered. 

It’s important to make sure your team has room to improvise (and feels comfortable doing so!) within your processes to best respond to new and evolving threats.

Do I Trust the Data in My Program?

A good third-party risk program is only as good as its data. When evaluating your TRPM program, consider the integrity of your data sources, the validity of the data you collect, and its completeness. 

For example, relying heavily on self-reported data from third parties can introduce inaccuracies. Third parties may not always provide transparent or updated information, leading to a misjudgment of the actual risk they pose. Consider supplementing vendor-supplied data with cross-verified open-source data.

The stability and predictability provided by traditional risk management practices might also lead to cognitive biases, where decision-makers underestimate risks that appear less likely or outside of their standard frameworks. This is a good time to do a little introspection: Are you making third-party security risk decisions based on experience and qualitative information or based on quantitative factors?

Do I Need to Adjust Specific TPRM Processes, People, or Technologies? 

As cyber threats evolve, they often outpace existing security measures. Third-party vendors may not have the capability or incentive to continually update their defenses against the latest threat vectors, especially sophisticated ones like AI-driven attacks.

This is where I recommend teams apply John Boyd’s concept of “destruction and creation” to their TRPM programs. This concept involves breaking down existing structures (destruction) and reassembling them in new, innovative ways (creation). In practice, this might mean breaking down current risk models and practices into their fundamental components and reassembling them in innovative ways that better address the current threat environment.

Avoid “Hidden Threats” in Your TPRM Program

The threat landscape is dynamic, fast-moving, and chaotic. Security leaders must scrutinize and adapt their own programs when necessary to combat the ever-changing nature of cybersecurity threats, or risk missing deeper systematic security issues or novel threats.

If you want to hear more about some of these “hidden threats” of third-party risk management, check out the replay of my webinar with Shared Assessments: “Unveiling the Hidden Risks in Third-Party Risk Management.”