Third Party Risk Management

Third-Party Risk Questionnaires: Best Practice or Legacy Tool?

George V. Hulme | February 10, 2014

Questionnaires have been a key part of third-party risk management programs for decades. And, until recently, they were the primary way businesses checked up on the cybersecurity performance of their third-party vendors. 

But recent history has taught us that these questionnaires aren't necessarily the best tool for third-party risk management, and may in fact be lulling risk professionals into a false sense of security. 

According to a recent Ponemon Institute study, 59% of companies have experienced a data breach caused by a third party. Among this majority, it's safe to assume some portion are using third-party risk questionnaires.

The problem is that questionnaires only provide a small amount of visibility into cyber risk. And in a world where third-party ecosystems are getting larger and more connected, that's a big problem. 

Here are a handful of ways questionnaires leave organizations vulnerable:

Security questionnaires only reflect one point in time.

In other words, questionnaires only provide reliable information in the moment they are answered.

Organizations change. They change management, which changes risk tolerance; they cut security and regulatory compliance policies, which changes security and compliance posture. They deploy new technologies, and that also changes their risk posture.

And while the organization's security practices are changing, the threats are too. Good security controls are only good so long as they protect the organization against known threats. When new threats emerge in the time between assessments, that can leave a previously secure organization exposed. 

New call-to-action

Questionnaire answers are prone to bias.

Security and compliance professionals are often overconfident when it comes to the maturity and status of their security and risk management programs. As a result, their answers to risk management questions can often be overstated or misleading. 

Intentional lying is always a possibility — after all, questionnaire results can have financial implications for the vendor — but for the most part, inaccurate responses aren't malicious. It's simply a symptom of the fact that people don't know what they don't know, and when it comes to a system as complex as an enterprise IT network, a human isn't really the best source of truth. 

Which leads us to:

Those answering questionnaires rarely have all the facts.

Most of the time, the person fielding a questionnaire is basing their answers on what's been handed to them by others, whether that's their own employees, third-party auditors, or software tools. The further data gets from its quantifiable source, the more suspect it becomes.

Questionnaires provide a false sense of security.

Questionnaires aren't just risky because they could contain misleading information. Questionnaires also give those who rely on them a false sense that their partners' systems are adequately secured, which can lead to a lack of precautions and, ultimately, to data breaches.

The new best practice

In addition to questionnaires, TPRM professionals need tools that enable objective, continuous monitoring.

Security ratings are one solution. Provided by independent organizations, these ratings are a data-driven, dynamic measurement of an organization's cybersecurity performance. They identify things like malware infections and poor cybersecurity hygiene within a network, and are updated daily.

That means risk teams can get alerted to vulnerabilities now, rather than when the next assessment rolls around. In addition, they are based on accurate, objective information rather than personal opinions. In the case of BitSight Security Ratings, they're actually proven to correlate with risk of data breach. 


To call questionnaires a "legacy tool" would be a little hasty. Questionnaires still have their place in third-party risk management programs. There is information that you can gather via questionnaire that you can't get from other sources. For example, check out our suggestions for questions to add to yours. 

However, questionnaires alone can't provide the kind of context modern risk professionals need to get the job done. 

Interested in seeing how the new best practices work?

Request a demo of BitSight for Third-Party Risk Management

Suggested Posts

4 Things to Know About FISMA

Recently we wrote about the top cybersecurity frameworks to reduce cybersecurity risk, and the Federal Information Security Management Act (FISMA) certainly belongs in that list. But what is FISMA? Who does it apply to? Why is it so...


Best Practices For Managing Third Party Risk

Properly managing third party risk and preventing damaging outcomes that result from gaps in your vendor ecosystem can be difficult and costly. With the recent SolarWinds data breach wreaking havoc on thousands of organizations globally,...


Do You Have The Right Vendor Management Policies?

If you’re experiencing frustrating delays and procedural roadblocks during your vendor management process, you’re not alone. Security managers are seeing an increase in the number of third-parties integrating with their business, and ...


Subscribe to get security news and updates in your inbox.