Skip to navigation Skip to main content
preloader
Sign Up
Menu
Resources

Collaboration Not Conflict: Are CISOs Getting Third-Party Risk Management Wrong?

Posted by
0
RANT London Roundtable March 2026

In Partnership With

If there were any lingering doubts about the importance of third-party risk management (TPRM), the events of the past year must surely have banished them. From SaaS vendors to high street retailers, a string of high-profile data breaches and ransomware intrusions have offered plenty for CISOs and their boards to think about. When an outsourced IT helpdesk is blamed for a breach costing upwards of £100m, supply chain risk management becomes everyone’s business.

But are boards genuinely paying attention? And are today’s questionnaire-based supplier checks still fit for purpose? To find out more, GRC specialist Diligent gathered a group of typically outspoken cybersecurity leaders for a recent RANT roundtable in London.

AI Talking to AI

Diligent’s Jelle Groenendaal, Co-founder of the firm’s 3rdRisk business, kicked off proceedings with some words of comfort for attendees round the table: “I feel your pain”. Groenendaal was a Cyber Resilience Manager at Deloitte when he realised that legacy approaches to TPRM were woefully outdated.

“You’re asking highly educated people to chase emails and send out questionnaires, then collate all that information in a central spreadsheet. It just wasn’t working,” he explained.

Most of the CISOs around the table were in agreement. One argued that, too often, TPRM is a “one and done” process. “How do we get more agile? How do we recognise that our risk changes frequently over the course of the year?” he said. “I fundamentally think something is broken.”

Text-heavy, point-in-time questionnaires can soon overwhelm teams. The danger, one CISO argued, is that you skim the details and assume that everything’s OK. Another suggested that if they receive a document with featuring than 50 questions, they’ll simply deal with it via AI, rather than engage personally.

“People are automating their responses to a questionnaire that has been created by automation,” said another concerned CISO. “If there’s so much being written, it’s not going to be read.”

In any case, large suppliers like the hyperscalers are likely to ignore detailed questionnaires, and simply point the organisation to their “trust centre” page, another attendee claimed. That highlights a challenge that many said they face: devising an effective way to manage risk across a broad range of suppliers and partners, with different risk profiles.

“There’s a level of real discrepancy,” argued host Matt Ford, Third Party Risk Manager at Howden. “How to get something that’s manageable for all, that represents the genuine size of business risk you have associated with these partners.”

For many, there’s no beating the human touch. Several attendees noted the benefits of simply picking up the phone for a CISO-to-CISO chat with their suppliers. But that’s not going to be possible for every single supplier. This is where smarter, more targeted questionnaires could help.

A false sense of security?

Security leaders around the table were conflicted about the value of standards, frameworks and certifications, like Cyber Essentials and ISO 27001. One labelled the latter “both useful and a complete sham”. The challenge is that it is often used as a tick-box exercise, with companies failing to dig deeper into the Statement of Applicability which reveals exactly what Annex A controls suppliers have put in place.

“Even the latest version of ISO 27001 doesn’t mean you’re secure,” said one CISO. “It just means you’ve written something down.”

Context is therefore critical to effective TPRM, attendees agreed. Exactly what kind of service a supplier provides, the size and complexity of their IT infrastructure, and even their financial stability or otherwise are all important risk factors. But there are many more.

In the defence of standards and certifications, one security leader argued that no single compliance attestation should be treated in isolation. The trick is to build a more coherent picture of risk by combining multiple sources of information. Another suggested that, at least compliance with Cyber Essentials could create a “pathway” for a supplier to improve their security posture over time.

It’s a partnership, stupid

For many, this gets to the heart of what TPRM should really be about. Rather than “hammer” smaller suppliers with lengthy questionnaires and rigorous requirements, organisations should see the relationship as a mutually beneficial partnership, several attendees argued.

“It’s not about ticking those boxes. You’re looking for threats, risks and ways to ensure they don’t materialise,” said Ford. “We’re here to support and help them to develop. We may want them to get SOC 2 or ISO 27001, but that’s a journey. Seriously consider your suppliers are part of your own journey to success just as much as you’re going to be for them.”

Echoing these views, another shared that they ditched one supplier following a breach, but this came with a huge cost, as they were forced to find another mid-project. “In that situation it’s a lose-lose,” she said.

Traditional questionnaires were criticised around the table for being too “crude” and encouraging a “pass/fail” culture which leaves both parties worse off.

“There’s an obligation here for senior leaders that TPRM shouldn’t be a tick box. It should be something UK PLC is working on to enhance the security of everyone,” said one senior risk leader. “Security should never be a competitive advantage. It should be a leveller. We all want to be as secure as possible. So stop sending out 200-page questionnaires, and work to help your suppliers understand what they need to do to get to a level that benefits us, them and everyone.”

The board may already be bored of this

The challenge facing CISOs, another attendee opined, is convincing the board that TPRM is still value for money. Like immunisation, if it’s working, there will be no visible result to crow about. “We need to turn to something usable and make sure it resonates with boards, so they don’t see this as dead money that will be gone after a certain point,” argued one security leader.

“That is why we acquired 3rdRisk,” responded Tom Ryan, Diligent GRC Sales Director. “Because what we’re trying to help CISOs and CROs give to their board is the context … So you can say to the board ‘you wanted to achieve these objectives, well, this is the level of risk we’re currently carrying.’”

Ultimately, “there’s a time and a place” for questionnaires, said Howden’s Ford. They can help to make the board care about TPRM, as long as they’re treated as part of a “multi-source” strategy.

“The one thing we care about is breach probability,” he concluded. “How easy will they be to take down? How much are they going to take down from us? And how bad are their nth party suppliers?”

When couched in those terms, maybe supply chain risk management isn’t so complicated after all.

Ready to transform cyber risk oversight with integrated GRC capabilities? Schedule a demo to see how Diligent’s platform delivers comprehensive cyber risk intelligence to boards.

Back to list
Older Protean Threat: Why Is Human Risk Such a Hard Problem To Tackle?