The modern business environment is no longer contained within a single organization’s walls; it is an interconnected web of digital and physical dependencies. As businesses increasingly rely on external partners for everything from data processing to office supplies, the risks associated with these relationships have moved to the forefront of cybersecurity strategy.
We sat down with Jeffrey Wheatman, Cyber Risk Evangelist at BlackKite and former Gartner Analyst, to discuss the evolving challenges of Third-Party Risk Management (TPRM). With three decades of experience, Jeffrey shared his insights on why traditional security questionnaires are failing, how to communicate risk to business stakeholders, and the emerging importance of digital supply chain resilience.
You can read the complete transcript of the epiosde here >
What are the Key Differences Between Third-Party, Vendor, and Supply Chain Risk?
While often used interchangeably, Jeffrey clarifies that these three disciplines are interrelated but distinct in scope:
- Third-Party Risk: The broadest category, encompassing everyone you do business with, including those who share or process data, deliver food, or manage waste.
- Vendor Risk: A specific subset of third-party risk involving people you pay for specific products or services.
- Supply Chain Risk: Historically focused on physical logistics (planes, trains, and automobiles), this has shifted to include the digital supply chain.
Cybersecurity is a critical slice of this ecosystem because it has an outsized impact on the business. A ransomware attack on a partner can halt your ability to manufacture, ship products, or collect payments.
Why are Traditional Security Questionnaires No Longer Sufficient?
Historically, organizations assessed third-party exposure by sending out questionnaires. However, this method faces several critical sustainability and accuracy challenges:
- Accuracy Decay: Even if a questionnaire is 100% accurate the day it is filled out, it becomes less accurate every week, month, or year that passes as dynamic environments change.
- Lack of Holistic Knowledge: It is rare to find one person in an organization who knows every moving part of their security and risk posture.
- Self-Reporting Gaps: Questionnaires often rely on binary “yes/no” questions that hide nuance—such as having Multi-Factor Authentication (MFA) on “critical” systems only, rather than across the whole organization.
- Policy vs. Practice: Often, what a CIO reports in a policy doesn’t match what engineers are actually doing on the ground (e.g., bypassing firewall change controls to maintain velocity).
Despite these flaws, questionnaires remain common because they fulfill due diligence requirements, provide some legal protection, and have simply “always been done that way”.
How Should Organizations Prioritize Their Third-Party Partners?
With many organizations dealing with thousands of partners, it is impossible to treat every vendor with the same level of scrutiny. Jeffrey suggests prioritizing based on business impact:
- Impact Assessment: Determine how bad it would be if a partner were hit with ransomware. Would your business function at a lesser level, or not at all?
- Data Sensitivity: Evaluate the risk if a partner loses your specific data, even in non-breach scenarios like privacy violations.
- Extended Ecosystems: Look beyond the third party to fourth, fifth, and sixth-party risks. For example, concentration risk arises if all your partners use the same cloud provider (AWS, Google, or Azure).
- Simple Categorization: Avoid overanalyzing; use three or four simple buckets—Critical, Important, and “Meh”—to determine what you will do differently for each group.
How Can Security Teams Effectively Communicate Risk to Stakeholders?
A recurring problem in risk management is the disconnect between technical data and business value. To fix this, Jeffrey recommends shifting the language used with business leaders:
- Move Beyond Tech Specs: Instead of telling a business person that a vendor isn’t patching, explain the business consequence: “Based on what we’ve seen, it’s highly likely we see an incident in the next 12 months. If their system is unavailable for a week, how bad is that for you?”.
- Outcome-Based Security: Work with executives to understand that security is a trade-off: more investment equals more risk mitigation. When budget is cut, the business must understand and articulate exactly what additional risk they are absorbing.
- Accountability Alignment: Address the common scenario where a business chooses the cheapest security option against expert advice, yet the security person is still held accountable when a breach occurs.
What is the Value of Scenario Planning and Role-Reversal Workshops?
To build empathy and a common understanding of risk, Jeffrey advocates for intense scenario planning.
In these workshops, he recommends changing everyone’s job: the CIO becomes the COO, the CTO becomes the CEO, and so on. This forces participants to think differently about dependencies and security value, often leading to the realization of previously unthought-of risks. This interaction helps embed the CISO as an equal partner rather than a roadblock.
What Emerging Trends are Shaping the Future of Cyber Risk?
Several global trends are maturing the TPRM landscape:
- Resilience over Compliance: Organizations are moving toward resilience—ensuring they can continue to operate regardless of the incident.
- Real-Time Intelligence: The shift is moving from static data to real-time intelligence. Providing context is more valuable than just throwing out a “security score”.
- Regulatory Pressure: Regulations like the SEC ruling in the US, DORA in the EU, and new accountability frameworks in India are forcing boards to take a more proactive role in cybersecurity oversight.
- The AI Advantage: AI is beginning to provide sophisticated analysis for complex problems, such as the “traveling salesperson problem” in supply chain mapping, helping to identify vulnerabilities further down the chain.
Conclusion: Building a Defensible and Scalable Program
As Jeffrey Wheatman emphasizes, effective third-party risk management is not about achieving 100% accuracy—which is impossible—but about defensibility. Organizations must document their decision-making processes so that when bad things inevitably happen, they can explain to regulators why they took a specific course of action. By prioritizing vendors based on business impact, automating where possible to provide business context, and fostering a culture of “give and take” between security and the business, leaders can move from simply checking boxes to building a truly resilient extended enterprise.
