Third-Party Risk Questionnaires: Best Practice or Legacy Tool?

Third-Party Risk Questionnaires: Best Practice or Legacy Tool?

Questionnaires have been a key part of third-party risk management programs for decades. And, until recently, they were the primary way businesses checked up on the cybersecurity performance of their third-party vendors.

But recent history has taught us that these questionnaires aren't necessarily the best tool for third-party risk management, and may in fact be lulling risk professionals into a false sense of security.

According to a recent Ponemon Institute study, 59% of companies have experienced a data breach caused by a third party. Among this majority, it's safe to assume some portion are using third-party risk assessment questionnaires.

The problem is that questionnaires only provide a small amount of visibility into cyber risk. And in a world where third-party ecosystems are getting larger and more connected, that's a big problem.

Here are a handful of ways questionnaires leave organizations vulnerable:

Security questionnaires only reflect one point in time.

In other words, security questionnaires only provide reliable information in the moment they are answered.

Organizations change. They change management, which changes risk tolerance; they cut security and regulatory compliance policies, which changes security and compliance posture. They deploy new technologies, and that also changes their risk posture.

And while the organization's security practices are changing, the threats are too. Good security controls are only good so long as they protect the organization against known threats. When new threats emerge in the time between assessments, that can leave a previously secure organization exposed.

4 ways vendor onboarding process whitepaper

How you can ensure you are performing the necessary security assessments and evaluations while keeping your onboarding process as flexible and agile as possible.

Questionnaire answers are prone to bias.

Security and compliance professionals are often overconfident when it comes to the maturity and status of their security and risk management programs. As a result, their answers to risk management questions can often be overstated or misleading.

Intentional lying is always a possibility — after all, questionnaire results can have financial implications for the vendor — but for the most part, inaccurate responses aren't malicious. It's simply a symptom of the fact that people don't know what they don't know, and when it comes to a system as complex as an enterprise IT network, a human isn't really the best source of truth.

Which leads us to:

Those answering questionnaires rarely have all the facts.

Most of the time, the person fielding a questionnaire is basing their answers on what's been handed to them by others, whether that's their own employees, third-party auditors, or software tools. The further data gets from its quantifiable source, the more suspect it becomes.

Questionnaires provide a false sense of security.

Questionnaires aren't just risky because they could contain misleading information. Questionnaires also give those who rely on them a false sense that their partners' systems are adequately secured, which can lead to a lack of precautions and, ultimately, to data breaches.

The new best practice

In addition to questionnaires, TPRM professionals need tools that enable objective, continuous monitoring.

Security ratings are one solution. Provided by independent organizations, these ratings are a data-driven, dynamic measurement of an organization's cybersecurity performance. They identify things like malware infections and poor cybersecurity hygiene within a network, and are updated daily.

That means risk teams can get alerted to vulnerabilities now, rather than when the next assessment rolls around. In addition, they are based on accurate, objective information rather than personal opinions. In the case of Bitsight Security Ratings, they're actually proven to correlate with risk of data breach.


To call questionnaires a "legacy tool" would be a little hasty. Questionnaires still have their place in third-party risk management programs. There is information that you can gather via questionnaire that you can't get from other sources. For example, check out our suggestions for questions to add to yours.

However, questionnaires alone can't provide the kind of context modern risk professionals need to get the job done.


Continuous Monitoring eBook

Learn how to adapt to the continuously changing risk environment with an efficient, continuous risk monitoring strategy.