Robust cybersecurity frameworks are critically important, and third-party risk management (TPRM) was once a central component of these defense strategies. Based on how it’s practiced today, that time has passed.
Originally conceived as a proactive measure to safeguard sensitive data and strengthen digital infrastructures against external risks, TPRM has devolved into a checkbox exercise that values form over substance.
This transformation from meaningful evaluation to superficial compliance isn’t just a failure of purpose; it’s an invitation to cyber threats. But let’s be clear: This is a mess we all helped create.
[ See also: “Third-party risk management can learn a lot from the musk ox” ]
The security industry, in trying to align with business expectations, deferred too often to audit-driven frameworks. Auditors, in turn, prioritized documentation and repeatability over real-world security outcomes. The result? We hollowed out TPRM’s original purpose and built an entire industry on the illusion of security.
Checkbox culture: Symptom of a larger cybersecurity issue
This “checkbox mentality” has become a self-imposed burden within TPRM and a symptom of a larger problem in cybersecurity risk management.
TPRM and security questionnaires were originally developed to ensure thorough vetting of third-party relationships and genuine risk mitigation. But these tools have expanded into complex, redundant, and sometimes nonsensical documents that are more about optics than protection. Rather than adding value, they often serve as bureaucratic gestures toward compliance, adding little insight into real risks.
The irony is that this auditing process has led to a false sense of security. Companies believe that by completing these checklists, they’ve covered their bases when in reality they’re still exposed to risks these processes were designed to mitigate. This isn’t just ironic; it’s reckless, and we allowed it to happen.
The consequences of this checkbox culture extend beyond ineffective risk management and have led to “questionnaire fatigue” among vendors. In many cases, security questionnaires are delivered as one-size-fits-all templates, an approach that floods recipients with static, repetitive questions, many of which aren’t relevant to their specific role or risk posture.
Without tailoring or context, these reviews become procedural exercises rather than meaningful evaluations. The result is surface-level engagement, where companies appear to conduct due diligence but in fact miss critical insights. Risk profiles end up looking complete on paper while failing to capture the real-world complexity of the threats they’re meant to address.
Getting to the root of the problem
The surge of TPRM tools has automated much of what was once a manual, resource-intensive process. These platforms were developed to simplify the creation, distribution, and completion of security questionnaires, addressing the operational burden organizations often face when conducting third-party risk audits. While they’ve brought much-needed efficiency, they’ve also unintentionally reinforced a checkbox approach to third-party risk, with many assessments falling short in delivering meaningful insight.
And here’s the kicker: None of the core regulatory frameworks — ISO 27001, PCI, NIST CSF, NIST 800-53, or SOC 2 — require a security questionnaire process at all.
As Jadee Hanson, CISO at Vanta, puts it: “We received guidance that emphasized compliance over security, and we collectively adopted it without much scrutiny.” In other words, we took loosely defined expectations around oversight and invented the most inefficient, bloated processes imaginable; not because we had to, but because we didn’t know what else to do. In chasing auditability, we lost the plot. Today, TPRM has become a business model that thrives on process over outcomes and optics over effectiveness. It prioritizes fear of penalty over pursuit of real security.
The checkbox mentality ultimately reveals another deep-rooted problem: whether the individuals managing TPRM are actually equipped to assess the risks they’re tasked with evaluating.
Governance, risk, and compliance (GRC) professionals are typically at the helm of TPRM, balancing regulatory demands with cybersecurity goals. But reliance on checkbox compliance raises serious questions about whether these gatekeepers have the necessary specialized training and expertise to truly understand evolving threats and vulnerabilities. This isn’t about their dedication, to be sure. It’s an indictment of a system that values compliance over genuine risk insight. We’ve built a structure that assigns critical cybersecurity responsibilities to individuals who may lack the necessary depth of understanding to assess threats fully.
How to fix third-party risk management
To break away from this harmful cycle, organizations must overhaul their approach to TPRM from the ground up by adopting a truly risk-based approach that moves beyond simple compliance.
This requires developing targeted, substantive security questionnaires that prioritize depth over breadth and get to the heart of a vendor’s security practices. Rather than sending out blanket questionnaires, organizations should create assessments that are specific, relevant, and probing, asking questions that genuinely reveal the strengths and weaknesses of a vendor’s cybersecurity posture. This emphasis on quality over quantity in assessments allows organizations to move away from treating TPRM as a paperwork exercise and back toward its original intent: effective risk management.
Beyond improving questionnaires, organizations must cultivate a culture of transparency and collaboration with their vendors. TPRM works best when it’s a two-way street where vendors are seen as partners in achieving mutual security goals. A collaborative approach encourages honest, accurate responses instead of rushed, superficial checklist completion.
One way to support this transparency is by encouraging vendors to maintain up-to-date Trust Centers, which can provide meaningful, easily accessible data about their security posture. When vendors are treated as active participants in an organization’s cybersecurity posture, they’re more likely to engage in meaningful ways. This culture shift, from seeing vendors as mere service providers to strategic partners, has the potential to transform TPRM from a check-the-box activity into a proactive and effective part of cybersecurity.
Rethinking TPRM means redefining the role of GRC professionals; not as compliance enforcers, but as cybersecurity-informed risk partners. This shift isn’t just about upskilling internally, it’s about creating shared clarity between parties. As Vanta’s Hanson puts it, “To make this more of a value-added exercise, we should be including signed-off agreements on standard controls and facilitating the exchange of user control considerations … and making sure those are well understood by the buyer.”
That last part is key. Real TPRM isn’t just assessing a vendor’s security; it’s ensuring the buyer knows their responsibilities, too. When both sides understand what they own, the relationship moves from compliance theater to true joint defense.
The checkbox mentality that has taken over TPRM is a problem we created, but it’s also one we have the power to fix. By adopting a more thoughtful, strategic approach to TPRM, organizations can move past the compliance-driven processes that dominate today’s practices. Leaders need to recognize that the current approach is failing us, leaving us open to risks that surface-level compliance was never designed to manage. By challenging the status quo and investing in comprehensive, risk-based strategies, organizations can reclaim TPRM as an essential part of their security programs.