Back Issues This Week → Calendar → Current Issue → Popular →

All issuesVolume 340, Issue 2IT NewsSecurity Boulevard

Why Third-Party Risk Management Is Broken, According to CISOs and Analysts

Security Boulevard, Wednesday, July 8th, 2026

Questionnaire-based, point-in-time vendor assessments no longer reduce real third-party risk, CISOs and analysts say.

CISOs, analysts, and journalists increasingly agree that questionnaire-based, point-in-time third-party risk management (TPRM) is failing. A questionnaire only records what a vendor claimed on one day, not whether controls are real, working, or still in place months later.

The industry deferred too often to audit-driven frameworks that prioritize documentation and repeatability over actual security outcomes, turning TPRM into a process- and optics-driven business model.

The impact is real: 71% of organizations suffered a material third-party incident in the past year, 85% of CISOs lack full supply-chain visibility, and few monitor fourth or nth parties. The article calls for continuous, outcome-focused approaches that reduce risk rather than merely document it.

more →  ·  More from Security Boulevard →