Peer-Driven Insights

Third Party Risk Management (TPRM)

Featured One-Minute Insights

Sept 2024

How are U.S. CISOs Addressing Liability Risk?

New regulations taking effect in the U.S. mean that cybersecurity leaders could face legal liability in the event of an incident. What strategies are they using to protect themselves?
How are U.S. CISOs Addressing Liability Risk?

Community Posts

My vendor experienced a major breach — should I continue with them?

Read More Comments

My agency is looking for a system and operations center to prevent exfiltration of data. We have looked at Varonis and Blackfog. Any thoughts on these products or are there any suggestions of other products?

A common challenge in our risk-tiering framework for suppliers is that even the lowest risk tier still requires processing.
Has anyone implemented a "not relevant" risk tier in their model?
This tier would apply to vendors posing genuinely negligible security risk.

If your org uses third-party IoT solutions, what criteria do you use to assess those vendors' security practices?

We are looking at implementing role-based access controls on some of our SaaS platforms due to entry into emerging markets. Does anyone have best practices to share?

Read More Comments

Does your security awareness training address files shared over communications platforms like Microsoft Teams?

Yes80%

No18%

Other (comment below)1%

View Results

“Risk needs to be quantified in monetary value.”

Strongly agree15%

Agree63%

Neutral17%

Disagree3%

Strongly disagree

Other (explain in the comments)

View Results

How can infosec leaders/CISOs get their org to shift from a legacy security strategy that’s more compliance-focused to one that’s focused on risk reduction?

Read More Comments

How are you thinking about vendor risk management when it comes to vendors leveraging generative AI? Do they require a different approach, or is your current vendor risk strategy adequate in these cases?

My security analyst is recommending we shut off access to third-party personal email accounts to reduce the risk of attack as a result of phishing attempts through these platforms.  Is this something many companies do?

Read More Comments

Do you have a security questionnaire for all third parties you partner with? How long is it?

Read More Comments

Are you reevaluating your software supply chain security strategy?

We have recently updated our strategy.21%

Yes48%

No, but I expect we will reevaluate our strategy.20%

No9%

Other (please share in the comments)

View Results

Which Vendor Risk Ratings platform do you use? BitSight Security Scorecard Venminder Other/Comments?

What best practices have you found for taking inventory of all the systems and applications in your organization (including shadow IT)? How are you tracking and managing your inventory?

Read More Comments

Is there any guidance how to manage fourth-party n-th party cyber risk management. Can anyone share their experiences going beyond C-TPRM?

How do you foresee the data security and privacy landscape changing over the course of 2023?

Read More Comments