Supply Chain Security
Jun 10, 2025

What does Third-Party Cyber Risk Management mean for third parties?

We nearly always examine Third-Party Cyber Risk Management (TPCRM) from the viewpoint of a first party. In other words, it's about how a company detects, prevents, and responds to risks arising from its third parties. That doesn't necessarily mean, however, that this process is transparent to the third parties themselves.

As a vendor, for example, you'll quickly gain some basic understanding of your customers' approach to TPCRM. Early on, they may ask you to provide information in self-assessment questionnaires (SAQ), or maybe they'll request documents about certifications.

This process can appear quite adversarial, but it should not be. Sometimes it can be difficult to ascertain exactly what the customer wants, especially when questionnaires can be broad and somewhat vague, and certifications are similarly linked to organization-wide processes and practices, not specific risks.

Even third parties that aren't vendors can be subjected to TPCRM programs. Joint ventures and partnerships are sometimes the best way to bring certain products or services to market, and this also connects multiple companies (as well as their third parties) in one expanded IT ecosystem. TPCRM is necessary to mitigate risk in such scenarios, and it will have some impact in the organizations involved.

Despite the lack of assertiveness in some of these approaches, they're common enough that third parties get used to them. On the other hand, when a client asks for something new or unusual – like the implementation of a continuous monitoring solution – third parties might get apprehensive. In reality, it should be the other way around. SAQs and audits have a cost and provide little value, while inside-out monitoring provides value at little to no cost to the third party.

Inside-out continuous monitoring is a great approach to TPCRM, as it leverages the existing relationship between a vendor and their customer to build a channel for sharing information on security issues. The issues are well-defined, and so are the steps for their remediation, resulting in a positive security outcome for both parties.

Because continuous monitoring offers near real-time data, it provides value to the vendor, too. Unlike SAQs or audits, which quickly become outdated, continuous monitoring fetches data at regular intervals (usually every day), so it can help vendors by notifying them about regressions or mistakes in security controls.

Let's review how each approach to TPCRM impacts third parties.

Security Questionnaires (SAQ)

Questionnaires are necessary in many circumstances — such as when assessing company policy and other subjective criteria — but they have many downsides. 

The main downside of security questionnaires is the time it takes to answer them. If you could answer or update a questionnaire every day, it would arguably be more useful. However, the time it takes to fill out a questionnaire makes this impractical. 

This is particularly true because third parties are typically subjected to different questionnaires from each first party, using potentially different online platforms. This heterogeneity further reduces any productivity gains that third parties could have when there is a growth in the number of questionnaires they receive.

A vendor will have to pay for the time it takes to answer a questionnaire. Even if no money is changing hands and there's no security vendor involved in this process, there's still a labor cost associated with them.

Unfortunately, the return for this investment is often very poor. An SAQ will probably not bring about a better security outcome for the vendor. We’ve seen companies build dedicated teams of security professionals whose focus was on handling received questionnaires, audits and other assurance activities. Wouldn't it be much better for everyone if those professionals were instead working on implementing additional security controls on the third-party environment and reducing their risk to themselves and others?

The first party may opt for a different vendor based on the answers given on the questionnaire, and they don't know for how long the answers will represent the truth – if they ever did. Because of this, the choices made based on questionnaire information tend to be less than optimal.

Audits and penetration tests

Audits and penetration tests can bring about positive security outcomes by finding security issues or shortcomings in how a vendor approaches security. These can surface issues that were previously unknown to the third-party, leading them to address them and reduce risk.  However, this comes at a very high cost, making them a poor choice to assess an organization's security posture over time. 

Penetration tests also have the potential to cause impacts or lead to the penetration testers getting access to data from other first-parties, even when executed in staging or test environments.

These processes can be very adversarial. Which means the vendor may decide to not cooperate with the audit to the full extent of their capabilities, or implement more restrictive security controls on assets that are likely to be looked at by a penetration test. This may create blind spots that prevent both parties from finding internal weaknesses that, if addressed, would increase their cyber resilience. 

Security Scoring

Security scores are typically calculated with outside-in monitoring, which means the evaluation is based only on what can be seen on the subset of the external attack surface that is discovered by the scoring provider.. This is almost always grossly incomplete, and in particular misses cloud (IaaS, PaaS and SaaS) infrastructure that may be critical parts of the third-parties’ external attack surfaces.

More importantly, this outside-in focus provides little visibility on internal controls and the infrastructure that houses corporate data, which might be in a completely different environment. Disciplines like IAM (i.e. 2FA enforcement and privilege management), endpoint security, at-rest encryption, logging and internal network segmentation are all but invisible to outside-in testing.

A study by Tenchi Security found that outside-in tests like the ones performed by traditional scoring services cover at most 20% of controls in the CIS Critical Security Controls framework.

The score might also be based on metrics that are not important to you as a vendor or to your customers. Your score might be low because it's looking at something that's just not relevant to your operations, or maybe it's high because it's only looking at the least complex part of your infrastructure.

We’ve talked to numerous third-party CISOs reporting how this really hurts their risk management priorities. Instead of focusing on more critical projects, like rolling out 2FA, they had to spend their political capital, team focus and budget on fixing much less relevant security issues that are being reported as critical by security scores that their customers consume. One of the vendors infamously demotes your score if the copyright on your web pages is out of date, for example.

Continuous inside-out monitoring

Some vendors can feel uneasy about continuous inside-out monitoring when they learn it requires a setup with a few read permissions. However, a well-designed solution like Zanshin is safe and does not collect or share business data. This is essential, as both parties must respect the boundaries of their business relationship.

Once the initial setup is done though, a third party will receive valuable and much more comprehensive information regarding their actual security posture. The biggest benefit of inside-out monitoring is that it can detect well-defined issues, often with known remediation steps, in a timely manner.

This approach finds real security issues, with a clear trail to demonstrate where the problem lies. Once issues are fixed, the result is a very positive security outcome – for the vendor, which closed a security weakness, and for the first party, which is making their greater IT ecosystem more resilient.

Since the first party pays for this service, the vendor will have access to free reports and actionable alerts that will help them overcome the cyber poverty line. Many smaller vendors might not be able to afford or justify the cost to run similar tools on their own.

In other words, this allows the vendor to grow while avoiding costly security investments.

This is a key difference in this approach: it is not adversarial. The vendor has a detailed view of the issues that have been found, allowing them to grasp why they must be fixed and how each of these potential weaknesses is concerning to their customers. We believe this focus on collaboration and real-world security practices brings about the best results in third-party cyber risk management.

Share
Latest Posts
Third-party cyber risk rises above the fold: the Verizon 2025 Data Breach Investigations Report (DBIR)
Read more
The 'security poverty line' and its impact on third-party cyber risk
Read more
Digital Nomads: An unique opportunity for professional growth at Tenchi Security
Read more