Fact or Fiction (Part 2): More Misconceptions About Third-Party Risk Management

Alex Campanelli | September 10, 2018 | tag: Vendor Risk Management

There are many third-party risk concepts, some of which we addressed in the first blog post of this series. While third-party risk management (TPRM) programs are becoming increasingly common for businesses, there are still some misconceptions about the elements that comprise them. In the second post of our three-part blog series, we’ll take a look at some of the notions surrounding third-party risk management programs and weed out fact from fiction.

All cybersecurity resources should be allocated towards defending one’s own network.


Your own network could be extremely secure, but without effective third-party vendor risk management, your sensitive data will still be vulnerable. Surveys indicate that many data breaches are caused by third parties — they continue to make headlines as business after business suffers compromised security at the hands of a supplier. Deloitte reports that 1 in 5 organizations has experienced a third-party breach, and 1 in 10 has lost revenue as a result. Lastly, studies show that the most expensive data breaches are the ones that originate from third parties.

A typical vendor questionnaire could be 50% shorter and just as effective.


Third-party vendor security questionnaires are a traditional security assessment method, which are often time-consuming and resource-intensive. As a result, many organizations are moving towards shared, streamlined questionnaires. By supplementing these questionnaires with continuous monitoring data like BitSight Security Ratings, customers have been able to drastically reduce the number of questions they need to ask their third parties and decrease turnaround times — making their TPRM program more efficient and effective overall.

Organizations can’t really influence their third parties’ cybersecurity practices.


Security leaders have proven that writing security obligations into contracts is one way to influence, but having frequent data-driven conversations using security ratings and assessment results can also improve vendor performance. In fact, one BitSight customer was able to improve the security posture of more than half of their vendors in just 6 months by granting them access to the BitSight platform. BitSight Security Ratings enables collaboration through consistent, data-driven security and risk conversations; it allows users to instantly share ratings with critical third parties directly in the vendor portal, fostering more effective collaboration around security to better protect company assets.

Businesses will keep investing in stronger third-party risk management programs as the need to outsource critical business functions continues. It’s important for these organizations to understand how security ratings can help proactively mitigate the risk posed by their third-party supply chain as well as facilitate collaborative relationships with their third-party vendors.

Read this ebook to learn more about common misconceptions surrounding third-party risk management.

third-party risk management misconceptions

Read part 1 of the Fact or Fiction series: Things You Should Know About Third-Party Risk Management.

Read part 3 of the Fact or Fiction series: How Security Ratings Play a Role in Third-Party Risk Management

Suggested Posts

BitSight Integrates With ServiceNow to Reduce Risk Throughout Vendor Management Programs

Organizations rely on third-parties to keep competitive in the marketplace. The EY global third-party risk management survey highlights that in 2019–20, over 33% of the 246 global companies surveyed were managing and monitoring...


5 Best Practices for Conducting Cyber Security Assessments

Third parties are essential to helping your business grow and stay competitive. But if you’re not careful, your trusted partnerships can introduce unwanted cyber risk and overhead into your organization.


5 Tips to Improve Cyber Security Monitoring of Your Vendors

What’s the biggest struggle your vendor risk managers face when establishing cyber security monitoring processes? From sudden increases in the use of third-parties by your organization, to not knowing which vendors might be impacted by...


Get the Weekly Cybersecurity Newsletter.