The TPRM tragedy of commons
Without the right connective tissue between the two functions, risks are going to fall through the cracks. Third-party risk management (TPRM) has historically been one of the most common areas to get the short shrift from the disconnect, and that gap is poised to intensify in the post-Mythos era.
Further complicating the issue is that you’ve often got the vendor management office on their own island, and then the actual business owner who has the relationship with the third party but who may not see the security aspect as something they need to actively manage. All of these connections—without any clear line of security responsibility—contributes to this sort of tragedy of the commons where we all “own” this, but nobody really does.
The result is what we at Bitsight like to call the no-man’s land of TPRM. Before Mythos, this operational desert created regrettable inefficiency and elevated risky situations. Now, the no-man’s land could potentially become the weakest link of cyber risk management. It will delay closing exploitable…
