Training
Apr 15, 2026

Moving beyond compliance theater and guiding third parties to better cybersecurity outcomes

Every business wants their partners and vendors to be as secure as possible, but that's not always as easy as it sounds. Contracting a third party doesn't make a security challenge go away, after all – it just means someone else is dealing with it. Making matters worse, cybersecurity is proportionally more expensive for smaller businesses because compliance and other related features are often locked behind the most expensive SaaS subscriptions or software versions.

Most companies tackle this problem by setting up a sequence of filters, betting on complex onboarding processes that are tuned to weed out third parties that don't meet certain criteria or a minimum security "score." This can lead to clashes between cybersecurity staff and business teams that feel it's unfair to dismiss otherwise great vendors before they even have a chance to prove their commitment to the business and cybersecurity improvements.

But what if we could align the business and cybersecurity incentives of everyone involved to guide the third party to better security outcomes? There is a way to make that happen. But we need to rethink our arrangements and leverage the technology available today to ensure that things move in the right direction.

The problem with standard TPCRM arrangements

We already have an in-depth blog post about what third-party cyber risk management looks like from the perspective of a third party. In a nutshell, many of the common approaches to managing third-party risk end up creating an adversarial relationship between the parties involved, as the third party has incentives to misinform or even outright lie to its clients. After all, the vendor does not want to lose any business!

In this situation, it's easy to see why third parties become defensive and feel reluctant to reveal anything beyond what they are comfortable sharing as part of standard procedures, such as certifications and audits like SOC 2. Unfortunately, those standard audits tell us very little about a business's capability to detect and respond to real threats.

Ross Young called this "compliance theater" on the LinkedIn post that inspired us to write about this topic. Being compliant with a set of standards is not the same as being secure. At best, you're doing the bare minimum. At worst, this compliance work may be taking the focus away from what needs to be done for better security outcomes.

When all is said and done, businesses end up entangled with a lot of busy work that accomplishes little of real value while resulting in an adversarial relationship with their partners and very limited visibility over their cybersecurity practices.

So, can we flip the script?

To achieve better security outcomes in third-party cyber risk management, we first need to find out what kind of metrics we can use to move beyond compliance work and checkboxes, and how to collect these data points. Fortunately, that's possible.

Gaining visibility, data, and metrics

Security is often about trade-offs, and IT infrastructure used to be diverse and enclosed inside corporate network perimeters. The industry did not settle for "compliance theater" because we all agreed that checkboxes were the optimal solution to manage third-party risk, but because it was the best trade-off given the risks involved and the environment that existed until some years ago.

The IT ecosystem is now much more connected and homogeneous. Many businesses use the same SaaS platforms for their internal chats, to collaborate on documents, to store files and backups, and even to build their external infrastructure. The traditional perimeter, with its bespoke software solutions and networking quirks, no longer exists.

Attackers have an easier time navigating the modern corporate network because they know what to expect and where to look for the data that is valuable to them. This has changed the threat landscape, making the old trade-offs obsolete.

The idea that a hacker would spend time on each network to look for valuable data used to be a bit absurd. Today? They know where the data is, and they have the tools to process that data, too. When third parties are hacked, it's not uncommon for the leaks to advertise the fact that the dataset contains files from many different businesses.

Thankfully, modern IT environments don't just make things easier for attackers. Defenders can use the commonalities to their benefit and manage third-party risk by using inside-out monitoring.

We can also combine inside-out monitoring with carefully selected external data points, such as the willingness of a partner to participate in vulnerability disclosure programs and other community efforts in the cybersecurity space.

Betting on better outcomes

Once your TPCRM program has the ability to collect signals linked to better security outcomes by implementing inside-out monitoring and other processes, the next step is getting the third party on board.

While you can just ask and hope that they will agree (which is quite possible if you already have a good working relationship), an interesting idea shared by Ross Young is to establish bonuses for third parties who demonstrate their commitment to fixing issues, patching vulnerabilities, or responding swiftly during incidents.

In other words, you'll have a service-level agreement (SLA) that rewards the third party for doing the right thing, showing an understanding that cybersecurity is not a fixed cost. Incidents and emergency patching can lead to unexpected expenses that can be challenging for the third party. But, if it's valuable that they act promptly, it makes sense to make sure they can afford to do so.

When third parties are being rewarded for doing the right thing, it could be easier to convince them to share data and agree to a shared monitoring approach. Cooperation, transparency, and actionable cybersecurity insights will lead to better outcomes.

Some businesses will opt to drop a third party that suffers a serious incident and then replace that vendor with another that will present the same certifications and pass the same compliance assessments. This disrupts the business and offers no guarantee of improvement, as the onboarding assessments will slowly become outdated once more.

While there are definitely situations in which moving on from a partner is the only viable course of action, it's essential to make sure that the next one will be working under the right incentives and guidance to do the right thing.

Share
Latest Posts
CISA Says Harden Intune. Here's What That Means for Your Third Party
After attackers wiped tens of thousands of Stryker devices through Microsoft Intune, CISA issued a hardening advisory. Most coverage focuses on internal security. The real question: what if Stryker is your vendor?
Read more
How Secure Build Practices Protected Us from the Trivy Supply Chain Attack
This post outlines our findings and, more importantly, the specific security controls that ensured our repositories remained unaffected.
Read more
Tenchi Security Expands Channel Strategy to Accelerate International Growth
Read more