TL;DR: Annual questionnaires and static attestations are failing to reflect real third-party exposure, while SecurityScorecard cites 90% of practitioners lacking confidence in their third-party risk programs despite 85% calling them effective. The operational shift is away from box-ticking and toward continuous discovery, concentration-risk analysis, and SOC-linked response.
NHIMG editorial — based on content published by SecurityScorecard: modernizing third-party risk management with AI and threat intelligence
By the numbers:
- 90% of security practitioners lack confidence in their third-party risk programs, despite 85% claiming those same programs are effective.
- 17 minutes and as quickly as 9 minutes, cly, attackers attempt access within an average of 17 minutes and as quickly as 9 minutes in some cases.
Questions worth separating out
Q: What breaks when third-party risk management stays questionnaire-based?
A: Questionnaire-only programmes miss real-time drift, hidden sub-processors, and changes in access scope.
Q: Why do third-party relationships create identity and access risk?
A: Third-party relationships create identity risk because external parties often receive real credentials or delegated access into sensitive systems.
Q: How do organisations know whether their vendor risk monitoring is working?
A: Vendor risk monitoring is working when changes in posture, access, or behaviour trigger action before the next scheduled review.
Practitioner guidance
- Implement continuous third-party monitoring Track vendor digital footprints continuously for leaked credentials, exposed services, domain changes, and unusual infrastructure signals instead of waiting for annual attestations.
- Map concentration and fourth-party dependencies Document which critical suppliers share the same cloud providers, SaaS platforms, or upstream service chains so correlated failure becomes visible before an incident.
- Integrate TPRM with SOC response Feed third-party risk signals directly into incident triage, playbooks, and escalation paths so the security operations team can act before vendor notifications arrive.
What's in the full article
SecurityScorecard's full analysis covers the operational detail this post intentionally leaves for the source:
- How TITAN AI is positioned to automate vendor discovery and prioritisation across large supplier ecosystems.
- The 30-day roadmap for moving from annual questionnaires to minute-by-minute monitoring and response.
- The specific way the vendor describes integrating SOC workflows with third-party risk signals.
- Examples of concentration-risk analysis across multiple vendors sharing the same cloud provider.
Third-party risk management: what continuous monitoring changes for teams?
Explore further
Static TPRM is now a governance liability: annual questionnaires and attestation workflows cannot keep pace with SaaS sprawl, fourth-party dependencies, or changing access paths. A programme can look effective on paper while remaining blind to the external signals that matter most. Practitioners should treat continuous evidence and external telemetry as the baseline for third-party governance.
A question worth separating out:
Q: Who should own response when a third-party supplier is exposed?
A: Ownership should sit with both security and the business, because supplier exposure affects operational continuity, data access, and contractual risk. Security should drive containment and prioritisation, while procurement, legal, and the service owner handle vendor engagement and accountability. Shared ownership prevents delays when a partner needs to be removed or constrained quickly.
👉 Read our full editorial: Third-party risk management is shifting from compliance to monitoring