TPCRM
January 15, 2025

Key trends for third-party cyber risk management in 2025

After reviewing the most relevant third-party cybersecurity incidents of 2024, we are now better equipped to consider some of the key trends for the upcoming year.

While no one can predict the future, we should still look to past events to help us chart a course forward – as long as we dare to go a bit beyond what we’ve already seen. It’s possible that not all of these trends will materialize, but it’s important to keep our goals in mind as we move into the new year.

So, we invite you to consider these five ideas with us today – and to ask if they could be a good fit for your organization as well.

1. Less emphasis on questionnaires

Assessment questionnaires have long been a staple of third-party cyber risk management, but their limitations are becoming increasingly clear. This approach, which is considered a "necessary evil" by many, tends to be inefficient and unreliable, leading to decisions based on flawed data. 

After you or a vendor is hit by a cybersecurity incident, answers that may have been recorded as long as a year earlier won't be of much use to anyone trying to understand the chain of failures that allowed the breach to happen. Putting your trust in one-off assessments means you'll be flying blind for most of the year.

At best, questionnaires only evaluate a vendor's posture at a specific point in time. As we often say, they only look at a snapshot, but life is a movie. 

As such, it is best to use questionnaires only to assess that which cannot be verified by automation — processes, policies, culture, and budget being some examples.

2. Continuous monitoring

Limited as questionnaires may be, businesses cannot stop using them without an alternative that can take their place. That is where continuous monitoring comes in.

Unlike questionnaires, continuous monitoring needs to be largely automated — as it would not be truly continuous otherwise. This is optimal for cyber risks, which are tied to IT infrastructure and systems that are already connected and can be reached by monitoring software.

Inside-out monitoring is especially effective, as it leverages the trust of the business relationship to provide a more in-depth assessment of specific security controls that cannot be observed from the outside.

Automating inspections allows for the detection of flaws and inconsistencies in real-time, speeding up the response to threats and strengthening system resilience. Businesses that adopt continuous monitoring and automation reduce risks proactively,  remaining ahead of the threats and securing compliance with ever stricter regulations. 

3. Closer relationships and collaboration

When you go beyond questionnaires, you realize that TPCRM isn't simply about assessing a vendor's security posture. It's about working together to obtain a consistent security posture across your ecosystem.

Although not a strict requirement, continuous monitoring makes it easier to collaborate in this fashion, as it directs attention to the issues that need to be addressed and provides an opportunity to fix them together. Over time, this will become a rich database of real, practical issues that vendors tend to struggle with, and helps them find solutions.

Working closely with partners and vendors also gives security teams the confidence to give their blessing to business agreements they would normally be opposed to. Many problems are easy to fix — it's just a matter of having the means to know if the issues are being worked on.

Everyone benefits from this arrangement. Businesses have more flexibility to find the right vendor for their needs, cybersecurity teams have better visibility over potential risks for hands-on mitigation, and vendors that want to do the right thing will get the assistance needed to improve.

4. Product-oriented vendor risk management

Businesses can have hundreds or even thousands of vendors, but many are unknown to most of the company. That's only natural — many third parties are involved with specific products or service lines, and their role in the supply chain of that product is much more relevant than their role as a supplier of the businesses as an organization.

When we look at third parties solely based on their relationship to the organization, this can lead to a situation where every single third party is assessed as if it were a supplier to the highest risk activity performed by the business. While such a tight security approach is laudable, it often leads to needless friction and increased costs, resulting in the opposite of the intended outcome: one where non-critical suppliers are sometimes not risk-managed at all.

There is space for a new way of looking at the relationship between a company and its vendors.

By assigning vendors to products or service lines whenever possible, it becomes easier to spot your requirements for each third party. As every product has a different risk profile, this approach can be an interesting tool to keep your risk analysis more grounded and flexible.

Vendors that do indeed play a key role (such as cloud providers) should still be considered critical and treated accordingly, but even non-critical third parties can and should be managed. 

5. Improved assessments of outsourcing costs

Over the last two decades, companies have shifted away from asking "should we outsource?" to focus more on "how we should outsource." It's not without reason: hiring a vendor that is dedicated to doing a task is often cheaper than trying to do it yourself.

Businesses have always known that outsourcing comes with additional costs and overhead, but measuring this can be difficult. With cyber risk, this is even more challenging — especially with the tools that companies have been working with so far. An inexpensive vendor is not truly inexpensive if their supposed savings balloon into cybersecurity incidents.

Improving third-party cyber risk management with close collaboration and continuous monitoring also makes it easier to account for these hidden expenses, allowing businesses to move away from outsourcing or to choose better vendors. The Cybersecurity and Infrastructure Security Agency (CISA) is pushing for this with the Secure by Demand initiative.

These are all positive trends, but results will not be immediate — especially when a culture shift is necessary, as is the case with collaboration. Understanding where we are now, setting clear goals, and communicating our intentions effectively will be important steps to find a way forward.

Share
Latest Posts
Looking back at third-party breaches and vendor cybersecurity incidents in 2024
Read more
Going hands-on with third-party collaboration for cybersecurity
Read more
How third-party risk management enhances your approach to systemic risks
Read more