Black Kite is a finalist in the 2026 SC Awards for continued innovation and leadership in third-party cyber risk intelligence.Learn more

Is Cybersecurity Regulation Actually Dangerous?

Third Party Podcast: When Compliance Checkboxes Become a Liability

YouTube video thumbnail

In this article

In this article

Check out our podcast, Third-Party. This is the podcast built for the people behind the dashboards. The ones managing 5,000 vendors with a team of three.

WATCH ON YOUTUBE

Introduction

If you’ve spent more than five minutes in the Third-Party Risk Management (TPRM) trenches, you’ve felt it: the crushing weight of the "Checklist."

We’ve been told for decades that regulation is the floor, the baseline for a mature security program. But as the gap between fast-moving threats and slow-moving legislation widens, we have to ask a dangerous question: Is cybersecurity regulation actually making us less safe?

In this episode of Third Party, hosts Jeffrey Wheatman, Bob Maley, and Ferhat Dikbiyik look at the unvarnished truth of the regulatory landscape.

Why Auditors Don't Equal Security

There is a fundamental disconnect between the people writing the rules and the people defending the networks. Many regulations are written by individuals who haven’t touched a server in twenty years.

The result is prescriptive theater. We see backend processors forced to encrypt backup tapes that contain zero PII, simply because a rulebook says so, ignoring robust compensatory controls already in place. When you focus on the letter of the law rather than the spirit of the law, you stop managing risk and start managing auditors.

Whether it is the "onerous overhead" of Sarbanes-Oxley (SOX) or the rigid boxes of PCI DSS, if your primary goal is to avoid being "found wanting" in an audit rather than maintaining business resilience, you aren't a security professional. You’re a compliance clerk.

Hackers Don't Care About Your ISO Certification

Threat actors do not check your SOC 2 report before they launch a ransomware attack. Certifications are snapshots of the past. Attackers live in the immediate present.

If your budget is 90% focused on meeting a standard that hasn't seen a major update since 2013, you are essentially defending a castle with a moat while the enemy is already inside using a stolen credential. Attackers don't look at your compliance metrics. They find a single gap and exploit it.

Regulatory Fragmentation: The Hidden Risk of Overlapping Frameworks

We are currently facing a Regulatory Fragmentation crisis. According to the World Economic Forum, 76% of CISOs say that regulatory fragmentation across jurisdictions greatly affects their ability to stay compliant.

In the U.S. alone, the lack of a national privacy strategy means teams are forced to stitch together a Frankenstein’s monster of state-level requirements. This isn't just a headache. It’s a security risk. Every hour your team spends mapping "shall" vs. "must" across fifty different frameworks is an hour they aren't spending hunting for vulnerabilities in your supply chain.

Modernizing TPRM: Shifting from Questionnaires to Evidence-Based Risk

If regulation is the disease, the cure is a shift toward Agility and Automation. Newer frameworks like DORA are beginning to address third-party complexity, but the tools we use to manage them must evolve.

  • Kill the 500-Question Survey: Sending a massive, static spreadsheet is the most counterproductive practice in the industry. It yields answers that rarely reflect reality.
  • Embrace Continuous Monitoring: Compliance is a snapshot; risk is a movie. You need tools that monitor the landscape and vendor health in real-time, not once a year.
  • Prioritize Compensatory Controls: TPRM isn't a blame game. It’s about relationship management. If an auditor prevents you from using compensatory controls that actually work, the regulation has become the threat.

Balance Cybersecurity Compliance with Real-World Risk Management

Regulation shouldn't be a "checkbox stop-gap." It should be the catalyst for budget and executive attention, but it cannot be the destination.

If you are regulating by fear of the fine, you’ve already lost the plot. Security demands daylight and transparency, not just a stamp of approval from an auditor who doesn't understand your business.

DON'T MISS AN EPISODE!

Subscribe to Third Party on YouTube, the podcast for the people who don’t need to ask ChatGPT what TPRM means. New episodes every other week.

Next Time on Third Party

We’ve got a lot more coming — new conversations, sharper debates, and topics that are already stirring things up in the cyber and risk worlds. So stay tuned, subscribe wherever you listen, and we’ll see you in the next one.

Subscribe below.

Real Talk on Third-Party Risk.

Check out our new podcast, Third Party, where we unpack what actually works (and what doesn't) in TPRM.

Subscribe
Apple Podcasts
Follow Third Party on Apple Podcasts
Follow
Spotify
Follow Third Party on Spotify
Follow

Ready to get started?

Integrate risk intelligence into every part of your workflow so you can make more informed decisions with confidence.