Why Third-Party Risk Management Is Broken, According to CISOs and Analysts
Security Boulevard, Wednesday, July 8th, 2026
Questionnaire-based, point-in-time vendor assessments no longer reduce real third-party risk, CISOs and analysts say.
CISOs, analysts, and journalists increasingly agree that questionnaire-based, point-in-time third-party risk management (TPRM) is failing. A questionnaire only records what a vendor claimed on one day, not whether controls are real, working, or still in place months later.
The industry deferred too often to audit-driven frameworks that prioritize documentation and repeatability over actual security outcomes, turning TPRM into a process- and optics-driven business model.
The impact is real: 71% of organizations suffered a material third-party incident in the past year, 85% of CISOs lack full supply-chain visibility, and few monitor fourth or nth parties. The article calls for continuous, outcome-focused approaches that reduce risk rather than merely document it.