Fact or Fiction (Part 2): More Misconceptions About Third-Party Risk Management

There are many third-party risk concepts, some of which we addressed in the first blog post of this series. While third-party risk management (TPRM) programs are becoming increasingly common for businesses, there are still some misconceptions about the elements that comprise them. In the second post of our three-part blog series, we’ll take a look at some of the notions surrounding third-party risk management programs and weed out fact from fiction.

All cybersecurity resources should be allocated towards defending one’s own network.


Your own network could be extremely secure, but without effective third-party vendor risk management, your sensitive data will still be vulnerable. Surveys indicate that many data breaches are caused by third parties — they continue to make headlines as business after business suffers compromised security at the hands of a supplier. Deloitte reports that 1 in 5 organizations has experienced a third-party breach, and 1 in 10 has lost revenue as a result. Lastly, studies show that the most expensive data breaches are the ones that originate from third parties.

A typical vendor questionnaire could be 50% shorter and just as effective.


Third-party vendor security questionnaires are a traditional security assessment method, which are often time-consuming and resource-intensive. As a result, many organizations are moving towards shared, streamlined questionnaires. By supplementing these questionnaires with continuous monitoring data like BitSight Security Ratings, customers have been able to drastically reduce the number of questions they need to ask their third parties and decrease turnaround times — making their TPRM program more efficient and effective overall.

Organizations can’t really influence their third parties’ cybersecurity practices.


Security leaders have proven that writing security obligations into contracts is one way to influence, but having frequent data-driven conversations using security ratings and assessment results can also improve vendor performance. In fact, one BitSight customer was able to improve the security posture of more than half of their vendors in just 6 months by granting them access to the BitSight platform. BitSight Security Ratings enables collaboration through consistent, data-driven security and risk conversations; it allows users to instantly share ratings with critical third parties directly in the vendor portal, fostering more effective collaboration around security to better protect company assets.

Businesses will keep investing in stronger third-party risk management programs as the need to outsource critical business functions continues. It’s important for these organizations to understand how security ratings can help proactively mitigate the risk posed by their third-party supply chain as well as facilitate collaborative relationships with their third-party vendors.

2023 Gartner RC Image Square

“By 2025, lack of talent or human failure will be responsible for over half of significant cyber incidents.” How can a human-centric design strengthen your cybersecurity program? Get your report to learn from key predictions, market implications, and recommendations.

Download Gartner Report
Button Arrow

Read part 1 of the Fact or Fiction series: Things You Should Know About Third-Party Risk Management.

Read part 3 of the Fact or Fiction series: How Security Ratings Play a Role in Third-Party Risk Management