The prevailing model of third-party risk management is fundamentally adversarial. The customer organization sends a lengthy questionnaire demanding that the vendor prove its security posture. The vendor, viewing the process as an obstacle to closing or maintaining the deal, provides the minimum responses necessary to satisfy the requirements. Both sides endure the process grudgingly, and neither side believes it meaningfully reduces risk. This model persists because it is familiar and because regulators expect documented vendor assessments. But it is not the only model, and it is not the most effective one.
The Problem with Adversarial TPRM
When vendors perceive the assessment process as an interrogation, they respond defensively. They provide carefully worded answers designed to pass review rather than to transparently describe their actual security environment. They share the minimum information required and volunteer nothing additional. When they experience security incidents, their instinct is to minimize and delay disclosure rather than to proactively notify their customers.
This dynamic is counterproductive. The goal of TPRM is not to collect documents — it is to reduce risk. Risk is reduced when customers and vendors have transparent, timely information about threats, vulnerabilities, and incidents. Adversarial relationships actively work against this transparency.
Consider the Okta breaches of 2022 and 2023. In both cases, customers like BeyondTrust and Cloudflare detected the compromises before Okta disclosed them. The delay in disclosure was partly a function of the adversarial vendor-customer dynamic: vendors minimize and delay bad news when they fear the consequences. A more collaborative relationship might have produced faster notification and reduced the window of exposure.
NIST on Supply Chain Relationships
NIST Special Publication 800-161r1, "Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations," explicitly addresses the relational dimension of supply chain risk management. The publication recommends that organizations develop collaborative relationships with suppliers and service providers, emphasizing that effective supply chain risk management "requires a cooperative and mutually beneficial approach between the acquiring organization and its suppliers."
NIST recognizes that command-and-control approaches to supplier security are often impractical, particularly for organizations that lack the market power to dictate terms to large vendors. Instead, the publication recommends engagement strategies that include joint security planning, shared risk assessments, coordinated incident response, and mutual information sharing.
"Effective cybersecurity supply chain risk management requires collaboration and communication among stakeholders across the supply chain, rather than unilateral mandates from the acquiring organization." — NIST SP 800-161r1
What Collaborative Vendor Risk Management Looks Like
Shared Threat Intelligence
Organizations and their vendors face many of the same threats. Sharing indicators of compromise (IOCs), attack patterns, and vulnerability intelligence creates mutual benefit. When a customer observes phishing campaigns targeting their industry, sharing that information with vendors who handle their data helps those vendors defend against the same campaigns. Industry-specific Information Sharing and Analysis Centers (ISACs) provide established frameworks for this type of collaboration.
Joint Tabletop Exercises
Tabletop exercises that include both the customer organization and key vendors test the interfaces between organizations during a crisis. These exercises reveal gaps in communication plans, incident notification procedures, and coordinated response capabilities that no questionnaire can uncover. They also build personal relationships between security teams that facilitate faster, more effective communication when real incidents occur.
Breach Notification Agreements
Rather than relying on generic contract language requiring "prompt" notification, effective vendor relationships include specific, agreed-upon breach notification procedures. These should specify who contacts whom, through which channels, within what timeframes, and with what information. The emphasis should be on speed and accuracy rather than legal formality. Vendors who know exactly what their customer expects during an incident are more likely to deliver timely notification.
Collaborative Remediation
When a vendor assessment identifies a security gap, the traditional approach is to issue a finding and demand remediation by a deadline. A more effective approach offers assistance. If the customer organization has expertise in a particular security domain, offering to share knowledge, provide guidance, or even assist with implementation builds goodwill and produces better outcomes than a punitive finding report. This is particularly effective with smaller vendors who may lack the resources to implement complex security controls independently.
Positive Outreach Beyond Assessments
The only time many vendors hear from their customer's TPRM team is when a questionnaire arrives or when something has gone wrong. Proactive positive outreach — sharing relevant threat briefings, providing advance notice of changing requirements, inviting vendors to security events — transforms the relationship from transactional to collaborative. Vendors who feel valued as partners rather than treated as threats are more likely to go above and beyond in their security practices and transparency.
| Adversarial Approach | Collaborative Approach |
|---|---|
| 200-question audit questionnaire | Focused assessment with context-setting conversation |
| Demand for evidence with compliance deadline | Joint review of evidence with guidance offered |
| Finding reports with punitive tone | Remediation plans with shared resources |
| No contact between assessments | Regular threat intel sharing and engagement |
| Vendor minimizes incident disclosure | Vendor proactively notifies per agreed procedures |
| Vendor answers questionnaire defensively | Vendor shares openly based on mutual trust |
The FAIR Institute Perspective
The FAIR Institute has emphasized that effective risk management requires accurate information, and accurate information flows most readily through trusted relationships. When vendor risk is quantified using the FAIR methodology, the quality of the analysis depends on the quality of the inputs. Vendors who trust their customers are more likely to share the detailed threat and vulnerability data that FAIR analysis requires, such as actual incident frequency, specific control effectiveness, and real loss data from past events.
A vendor that fears punitive consequences will provide sanitized data. A vendor that participates in a collaborative risk management relationship will share data that enables more accurate risk quantification and better-informed decisions on both sides.
Protect Your Organization from Third-Party Risk
Fair TPRM is a free, open-source platform for vendor risk management, GRC compliance, and FAIR risk quantification.
Free Demo Download SourceSources & References
- NIST SP 800-161r1: Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations - NIST, 2022
- Third-Party Risk Management with FAIR - FAIR Institute
- Information Sharing and Analysis Organizations (ISAOs) - CISA
- BeyondTrust Discovers Breach of Okta Support Unit - BeyondTrust, October 2023
- How Cloudflare Mitigated Yet Another Okta Compromise - Cloudflare, October 2023