Third party risk management is broken and we made it that way

Third party risk management is broken and we’ve made it that way.

Customers are making their own vendors’ security programs worse without even realizing it.

What do security teams think happens when they send 263 question excel sheets to a new vendor? If the team isn’t going to block the deal or make changes on their side based on the results of 90% of them, why even ask?

It’s doubly worse if the info is already in the vendor’s audit report. Often the customer’s security team can’t be bothered to actually read the report so they make the vendor do the questionnaire anyway.

Guess what the person filling out the questionnaire isn’t doing while they’re transcribing answers for the customer to briefly skim?

They’re copy/pasting answers into a poorly designed portal instead of securing the platform your company is about to use. Oops.

How can we stop acting against our own best interests?

Rather than approaching vendor evals as a way to point out flaws that you’ll approve anyways, take the time to figure out what’s really important to your business. In the context of securing your data at this particular vendor with this particular use case, what really matters?

(Hint: It’s probably not encryption at rest)

If the vendor has gaps in those critical areas, work with them to understand why this is an important area to improve and get contractual commitment to close the gap in X months as a condition to signing.

You’ve now successfully tied your counterpart’s ability to materially improve the security of the platform to their own revenue. You may as well put a bow on their CSPM proposal for them.

If companies need to act in their shareholder’s best interest, it’s up to you as a purchaser to make security in your vendor’s best interest.

If you're coming from a larger company, procurement and renewal is when you have massive power to influence the resources allocated to security at your vendors.

Don’t waste the opportunity by punishing others just because you had to fill out questionnaires when you were younger.

(And if you're on the vendor side of that exchange — staring down a portal UI that looks like it was designed in 2008 — that's the status quo we're trying to replace with TrustMind.)