Written by: Jeffrey Wheatman

Managing third-party risk is a high-stakes endeavor today. After all, our research shows that third-party breaches grew by 30% from 2022 to 2023. We often hear from customers wondering how big of a team they need to run a successful third-party risk management (TPRM) program. For such a big problem, we’re gonna need a big team, right?

Let’s dig a little deeper. Do TPRM best practices really require many sets of hands to execute? Or, is a barrage of FUD-inducing breaches just creating a frenzy around this type of risk?

To get the bottom of this, let’s take a look at the facts that lead organizations to believe they need a big team to manage third-party risk. Or — if you’re ready to go straight to the myth-busting or just prefer video content (we get it!) — scroll down for our episode of RiskBustersTM which tests this assumption in real time with our TPRM experts. 

 Watch the full episode.

Fact: You Have  Hundreds of Vendors — And They Have Thousands of Vulnerabilities

Why is third party risk management important? Our research shows that, on average, organizations have anywhere between 20 to 200 vendors in their tech ecosystems. At the same time, new vulnerabilities are popping up every day. The Cybersecurity & Infrastructure Agency (CISA) publishes hundreds of new CVEs every year and even saw a surge of 557 new CVEs in 2022 alone. With growing supply chains and an evolving threat landscape, security teams spend a lot of time and resources thinking about how to manage third party risk, monitoring the threat landscape, and keeping tabs on active vendors to mitigate risks. So as ecosystems scale, organizations assume the security team headcount must scale too. 

Fact: Traditional TPRM Best Practices Are Very Time-Consuming

In an attempt to manage all this complexity, security teams turn to traditional TPRM best practices, like security questionnaires. But if you’ve worked on a security questionnaire recently, you know that they are time-consuming and resource-intensive. It takes a long time to gather, review, and analyze vendor information — especially when vendors fail to complete questionnaires on their own and your internal team ends up chasing down information and asking follow-up questions. 

The kicker? These questionnaires provide little long-term value for your company. The information within a questionnaire only represents a vendor’s cybersecurity posture at a particular moment in time (a problem with many traditional TPRM best practices).

When you consider this lift against an ecosystem of hundreds or thousands of vendors, it’s easy to see why companies think they need more hands on deck to stay afloat. 

Fact: There’s a (Very Widely Discussed) Skills Gap in Cybersecurity

It seems like every day we see headlines about the skills gap in cybersecurity. According to recent research, 71% of organizations report they’ve been impacted by a shortage of skilled workers in cybersecurity — leading to an increased workload for the existing team, unfilled open job requisitions, and employee burnout. All these headlines contribute to a scarcity mindset, where the industry is focused on solving for a lack of skilled workers. In some cases, it causes organizations to believe they need more people to fill out the team instead of new processes and technology that allow small teams to do more with less. 

Separating Fact From Fiction

It’s easy to see why organizations believe they need a big team to manage third-party risk. There are a lot of vendors and vulnerabilities to contend with, and not enough skilled resources to handle all the responsibilities that come with robust third-party risk management. 

But does the answer lie in a larger team? Or should organizations optimize processes and look for better technology to manage the complexity of today’s third-party ecosystem more efficiently? Our RiskBustersTM have the answers below…

Because this is a significant concern for so many businesses, our RiskBusters™️ decided to test this claim. We ask if this prepare-for-the-worst mentality is truly the only way to prepare for ransomware and discuss whether or not there are ways to accurately gauge the likelihood of a ransomware attack on you or one of your third-party resources. Watch the video to learn more: 

Check Out Episode 3 Now!

Solving TPRM Challenges with Automation, Not Headcount

Wondering exactly how to address third-party risk without an enormous team? Black Kite can help. Learn more about how to automate compliance of third-party risk assessments using the industry’s first cyber-aware AI engine.

Black Kite’s UniQuE™️ Parser AI engine ingests and analyzes vendor documents, cutting compliance gap analysis time from 6 weeks to 6 hours.

To learn more about common TPRM assumptions and see if they’re fact or fiction, subscribe to our YouTube channel so you can catch all of our RiskBusters™️ episodes!

Ready to see what Black Kite’s cyber risk detection and response platform can do for you?

Request a Demo