Member Content, Third Party Risk Management

Actionable Third-Party Risk Management (TPRM) - Part 2

Sep 4, 2025 12:31:43 PM / Denny Wan, Gregory C. Rasner, Andrew Shea

Data Governance and Risk Management - Featured-1-1-1

This post is Part 2 of 3 in a series on actionable TPRM.

Third-Party Threat Hunting

“Threat hunting” is a term used often in cybersecurity to describe how information security professionals are in constant vigilance and motion to discover risks to their organization. It isn’t a matter of waiting to see if the event happens. The same approach and attitude should be taken with your vendor and third-party risks.

About the authors

We are saddened to relate that co-author Denny Wan, a longtime and passionate member of the FAIR Institute community, recently passed away. Read more about Denny.

Co-authors Gregory C. Rasner, is author of the recent book Cybersecurity & Third-Party Risk: Third-Party Threat Hunting and Andrew Shea is founder of the CRFQ advisory firm.

Mathematical Inevitability of a Third-Party Incident

We cited earlier the alarming statistic: 98% of organizations report having a relationship with a vendor who has been breached in the past two years. At ninety-eight percent, that's essentially 100% of companies doing business with a vendor that has been breached. The authors bet that the remaining 2% are breached but haven't yet been discovered. This math leads to one conclusion: it is a mathematical certainty that your organization will face a third-party incident. Period. We used to hear that the only sure things are death and taxes, and now, knowing that a third-party breach is just as inevitable, it makes no sense to think it’s only happening to others. Actionable TPRM is essential.

Continuous Monitoring and Actionable TPRM

To build on this inevitability and the fact that many lack an “actionable” TPRM, a more active approach to risk management is required. That approach is Continuous Monitoring. These programs are designed to do as the name suggests: constantly watch, in near real-time, the riskiest vendors in your portfolio for data and insights that can be acted upon. This isn’t just about looking at their ‘score’ in your vendor risk-rating tool. That is simply a tool or technology.

Actionable TPRM and Continuous Monitoring utilize these tools, along with internal data sources like your SIEM, Network Security, IAM, and Threat Intelligence teams, to identify specific threats and vulnerabilities. For instance, your vendor risk-rating tool might assign a vendor a “great’ score”, such as 95% out of 100%. Do you understand what factors contribute to that score? Do you care about what influences it? And how effective is a conversation with a vendor about their risk score being low or needing improvement? It’s often unproductive and typically results in just fixing the score, not addressing the cyber risks that matter most to your teams.

Actionable TPRM and Continuous Monitoring take a different approach. For example, if the same vendor risk-rating tool identified a vendor with a botnet infection called Virobot (an keylogger and data exfiltration adware) and also found an open issue for inadequate DLP controls, it would initiate a meaningful discussion between the cyber and TPRM teams and the vendor’s cyber team about risk and response measures. Focusing on a specific threat, such as Virobot, which is linked to an existing vendor risk, allows for productive conversations and action. Your team could instruct the vendor to neutralize the botnet and address the open DLP finding as a priority. That is what we call Actionable TPRM.

Zero Trust as A Strategy

As an unavoidable event involving a third party is set to occur, there is a need to develop a strategy to manage that risk. The most effective and only known approach to mitigate this risk is known as Zero Trust. It is precisely that: a strategy, not a technology or a tool. A vendor will not solve it for you.

Zero Trust challenges our previous overly trusting models and assumes we “Trust No One,” just like in the old X-Files shows. Every connection and user must be explicitly verified, and organizations must identify their most critical assets to ensure they are protecting what matters. This strategy requires more than a blog post for explanation, but we have included a table from Gregory Rasner’s book on the subject to help break it down into understandable parts.