Third Party Podcast Recap: The Third-Party Cyber Risk Problem No One Talks About

By: Laurie Asmus

There’s a new podcast in town and it’s pulling back the curtain on third-party cyber risk. The Third Party Podcast for the people who don’t need to ask ChatGPT what TPRM means. The ones behind the dashboards managing 5,000 vendors with a team of three. The ones who have to explain cyber vendor risk to someone who only speaks in dollars and downtime.

Third Party is on a mission to pull risk out of the shadows and strip away the jargon, noise, and black-box tools that leave leaders guessing. Hosted by industry veterans Jeffrey Wheatman, Ferhat Dikbiyik, and Bob Maley, the Third Party Podcast is built for risk management professionals who just need clarity. Who are tired of meaningless scorecards and black-box tools. Who need candid conversation, sharp insights, and unpacking what actually works (and what definitely doesn’t) in TPRM.

In the first episode, The Third-Party Cyber Risk Problem No One Talks About, we dive straight into an uncomfortable truth. Third-party breaches are your biggest threat. Data from our 2025 Third-Party Breach Report shows they continue to rise, causing financial and reputational damage at an alarming rate. 

But the real problem isn’t the breaches themselves. It’s the fact that organizations are spending time and money on a process that isn’t actually making them safer. 

The vast majority of TPRM programs are fundamentally flawed, ineffective, and give you a false sense of security.

The Real Problem in TPRM: Security Theater Over Substance

Your current TPRM program probably feels like it’s working. You send out questionnaires, get back risk scores, and file reports. You’ve checked the boxes for compliance, audits, and management. It’s a textbook example of security theater.

But what if those scores are meaningless?

The conversation on the podcast points to a few critical flaws in this approach.

Watch the full Third Party Podcast episode: The Third-Party Cyber Risk Problem No One Talks About.

Top Challenges in Traditional TPRM Programs:

• Flawed Metrics: Arbitrary Scores

Most programs rely on arbitrary scores and point-in-time questionnaires. As Ferhat explains, a score is just the “average of averages.” It can give a B to a vendor with a critical, unpatched vulnerability, or an F to a vendor with well-managed risks. It’s like judging the depth of the Susquehanna River by its average of three feet—you don’t see the 30-foot deep trenches until you fall into one.

• Lack of Contextual Intelligence

A score of “B” tells you nothing. It doesn’t tell you the real danger, like an unpatched server targeted by ransomware. Without this specific, contextual intelligence, you can’t tell the business where the true risk lies.

• Focus on Compliance, Not Risk Reduction

The process has become an end in itself. We’re more concerned with looking secure for an auditor than we are with actually reducing our risk exposure. The goal of TPRM should be to make the company safer, not just to produce reports.

Why TPRM Challenges Remain Hidden: Comfort and Inertia

So why does a broken system persist? The podcast hosts believe it’s a mix of inertia and complacency. The system we have, while broken, is what people are used to. They’re comfortable with a bad process because it’s the process they’ve always used.

As Bob points out, it’s the “cooked frog” analogy. You don’t jump out of the pot if the water heats up slowly. The threat landscape has changed gradually, and the industry has become comfortable with an old, ineffective way of doing things.

Top Reasons TPRM Professionals Stay Stuck:

• We’re Too Busy

Managing thousands of vendors is a massive, complex problem. While flawed, the old methods are at least seen as scalable. The idea of adopting a new, more effective system that provides continuous monitoring and contextual intelligence is daunting.

• The Business Can’t Grasp It

It’s hard to explain to a non-technical executive why a good-looking risk score is actually a red flag. The conversation doesn’t happen because we haven’t learned to translate technical risk into business impact—the language of dollars and downtime.

• We’ve Created an Industry Around Bad Data

As Ferhat notes, the industry has become about managing the questionnaire, not managing the risk. Organizations have built entire processes and teams around collecting and tracking this ineffective data.

The problem is real, but it can be fixed.

You have the power to stop the security theater and demand/build a program that actually makes you safer.

What’s the one thing you can do to start changing the conversation? Stop automating bad processes. As Jeffrey puts it, “automating bad, just automates bad.”

If you want to hear more unfiltered conversations about what actually works in TPRM, subscribe to the Third-Party Podcast on YouTube or wherever you get your shows.