From Policing to Partnering: Rethinking the Third-Party Risk Management Process

Written by: Jeffrey Wheatman, Senior Vice President, Cyber Risk Strategist

The traditional third-party risk management process often treats vendors with suspicion, mistrust, and skepticism, focusing on control rather than collaboration. This one-way “policing” mindset undermines what should be a productive and mutually beneficial partnership, creating an environment of contention and inefficiency.

Instead of working together to manage risks, organizations often overwhelm vendors with scattershot questions about vulnerability management, patching strategies, SOC 2 compliance, and more — usually without providing clear context or guidance. Vendors are left feeling frustrated and disconnected, expected to comply without fully understanding the purpose or value of their efforts. This approach feels more like an interrogation, turning what should be a partnership into more of a power struggle.

To strengthen defenses and improve the overall risk posture of their ecosystems, organizations need to move beyond this outdated approach of managing third-party risk. After all, cyberattackers don’t work in isolation — they share intelligence, coordinate strategies, and collaborate to exploit weaknesses. To combat this, organizations must adopt a similar mindset, shifting from control to collaboration. Lone wolves simply cannot prevail against well-coordinated efforts. 

Embracing partnership over policing, organizations can build trust and create a culture of shared responsibility — transforming third-party risk management into a proactive, collaborative strategy that benefits everyone involved. To understand why the current approach falls short, let’s examine the consequences of this policing mindset.

The Problem With Policing Vendors 

Policing vendors has long been a common approach in third-party risk management, but it usually creates more problems than it solves. Instead of building a collaborative, trust-based relationship, it positions vendors as adversaries under constant scrutiny. Vendors may feel like they are being targeted — not by cybercriminals, but by the very organizations they’re supposed to support.

This sense of distrust will lead to counterproductive outcomes. Rather than being transparent about potential risks or vulnerabilities, vendors may withhold critical information to avoid blame or punitive consequences, leaving organizations blind to potential risks.

The resulting lack of transparency can lead to delayed responses – or none at all – and missed opportunities for risk mitigation. After all, you can’t address risks you don’t know about. Distrust and resentment are partners in crime, and vendors may feel resentful that their time is being wasted by time-consuming questionnaires. As a result, vendors deprioritize or ignore these tasks and organizations waste valuable time chasing incomplete responses.

Beyond the operational inefficiencies, policing represents a major misstep in risk management. It doesn’t just sour relationships — it’s fundamentally shortsighted. Since it focuses narrowly on identifying and resolving immediate vulnerabilities, it misses the broader opportunity to build a shared, proactive, and long-term defense strategy. 

Why Partnering Creates a Better Third-Party Risk Management Process

Cyberattackers don’t work in a vacuum — they operate in networks, share intel and strategies, and collaborate on attack timings. In contrast, many organizations and their vendors remain stuck in reactive, adversarial relationships — pointing fingers, struggling with miscommunication, and ultimately, leaving critical risks untreated. 

A partnership-driven approach flips this dynamic, creating an environment where organizations and vendors collaborate, learn from each other, and pool their resources and expertise. Open communication also eliminates data silos and barriers, meaning it’s easier to act quickly during critical moments. When everyone in your supply chain sees the same accurate, actionable data, responses are faster and more effective. 

Vendors treated as integral allies rather than external risks are more likely to engage openly, prioritize security initiatives, and align with your goals. This approach strengthens relationships, closes security gaps more efficiently, and creates a continuous improvement cycle that benefits both parties.

How To Build Strong Vendor Partnerships

Modernizing your third-party risk management process starts with rethinking how you work with vendors. These tips will help you shift from a policing mindset to a more collaborative approach, building mutually beneficial partnerships that strengthen security:

1. Build a strong foundation from the outset

Partnerships start with transparency. During vendor onboarding, clearly communicate how you assess security posture and why it matters. This sets expectations and reinforces the mutual benefits of an open, collaborative approach.

For existing vendors, revisit your goals and outline plans to strengthen collaboration. Engage your vendors in these discussions — ask for their input on improving collaboration and listen actively to their feedback.

Using tools like Black Kite’s Ransomware Susceptibility Index® can provide insights into which companies in your ecosystem are most likely to be hit by a ransomware attack, so that you can work with your vendors proactively to reduce that risk.

2. Prioritize communication and engagement

Regular communication is essential for maintaining trust and efficiency. Establish direct, security-to-security communication channels to expedite responses during critical moments. Sharing trustworthy, actionable data also reduces the burden on vendors who may be working with hundreds or even thousands of customers — who are all expecting their attention.

Tools like Black Kite Bridge™ streamline this process by centralizing communication, automating outreach, and sharing real-time intelligence. With a tool that shares asset-level vulnerability intelligence and real-time ratings updates, vendors know exactly what they need to do to address your concerns. Vendors also appreciate such solutions as they help them scale efficiently — remediations to one client’s concerns are immediately visible to other clients, saving time.

3. Develop proactive incident detection and resolution processes

Security incidents are inevitable, making it essential to develop a proactive process for identifying and addressing them. Effective incident response depends on access to precise, actionable information shared transparently with vendors.

The traditional approach of inundating vendors with unstructured data leads to delays and confusion. Without clear guidance, vendors may struggle to prioritize their actions. A better option is to use a tool like Black Kite’s FocusTags™ to offer specific, actionable steps for addressing vulnerabilities. This makes it much easier for vendors to know what exactly needs to be done and why.

4. Collaborate on post-mortem incident reviews

When incidents occur, the response shouldn’t end with mitigation. Collaborating with your vendors to conduct post-mortem reviews is much more constructive than pointing fingers. It also shifts the focus to learning and improvement rather than fault-finding. By honestly evaluating what went wrong, it’s easier to take the necessary steps to improve your, and their, response in the future. 

Taking a team-oriented approach to post-incident reviews strengthens your collective defenses. These collaborative discussions show a commitment to mutual success and ongoing improvement, reinforcing your shared responsibility in maintaining a strong security posture.

The Power of Partnership 

Vendor partnerships aren’t just about managing risk — they’re about building relationships that deliver mutual value. Collaboration shifts the dynamic from adversarial into one rooted in trust, transparency, and shared objectives. Partnerships accelerate threat responses, streamline third-party risk management processes, and enable both organizations and vendors to strengthen their defenses. 

The real power of partnership lies in its ability to create a symbiotic cybersecurity ecosystem, where each party contributes to a stronger collective defense. Vendors become trusted allies, working alongside you to identify vulnerabilities, mitigate risks, and stay ahead of threats. In this unified ecosystem, the sum truly is greater than the parts.