Defense in Depth
Can AI improve Third-Party Risk Management (TPRM)

Did you know AI can fill out your security questionnaire for you? Well, if you didn't you've missed all cybersecurity marketing in the past two years. Eliminating the questionnaire grunt work is a significant milestone, but it's just the tip of the iceberg in how AI is empowering security professionals to reduce and manage risk. If that's just the beginning, where are the other big opportunities?

Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark, the producer of CISO Series, and Jason Elrod, CISO, MultiCare Health System. Joining us is our sponsored guest, Nick Muy, CISO, Scrut Automation.

Supercharging teams

AI offers powerful ways to improve third-party risk management by helping teams make better, faster decisions. "In TPRM there are a lot of 'risk accepts' in place by the enterprise," said Rashique Mustahseen of Capital One. "One potential avenue for innovation would be to leverage AI models to aggregate the third-party risk data that sits in the enterprise system of record and provide threat intelligence on the risk accepts in the enterprise today. That data can be used to change the decision factors for risk accepts and influence mindset shifts across the enterprise regarding which TP risk the business should accept vs. remediate." Phillip Miller, CISO at Qurple, pointed to two areas where AI could "supercharge the humans in risk teams": "Collating, categorizing, and organizing the submitted content into a taxonomy that makes sense for your risk-based decision-making; and searches that can evaluate context vs. keyword queries to speed up reviews."

Shifting to proactive

Third-party risk management is a reactive checkbox exercise for many organizations. AI can shift this to a proactive, insight-driven function. “Predictive Risk Analysis incorporates AI to produce models that can forecast potential risks by analyzing historical data, identifying trends, and predicting vendor failures, cybersecurity breaches, and compliance violations,” said Eduardo R. Ortiz of Techtronic Industries. These emerging tools offer a level of risk assessment that wasn’t practical at the scale of human effort. “An AI agent could be designed to analyze vast amounts of data for each vendor to provide key insights about risk scoring and compliance metrics. It could also help to enhance risk prediction with real-time monitoring of each third party to flag unusual activities or disruptions,” said Mauricio Ortiz of Merck.

A unique opportunity

Cybersecurity has an opportunity to fundamentally reshape the scope of TPRM. Being proactive is part of that, as is the ability to adapt quickly to changing conditions. “There are a lot of opportunities from an AI perspective,” said Andrew Shea of CRFQ. “In the near term: third-party contract analysis—based on AI analysis of the contract, what tier should they be put into, what questions should be sent, and longer term what does continuous monitoring look like for them?” Kade Hennings of Mimecast sees AI playing a role in customizing risk reviews based on actual usage: “Training an AI on the various requirements that your company needs to adhere to for third parties, then having it map submitted documents and publicly available data to find the gaps. Using it in a way to sus out actual risk based on use rather than blanket assessing.”

A human in the legal loop

While AI may enhance third-party risk workflows, it doesn’t eliminate the need for human judgment, especially when it comes to legal accountability. “Automating risk management using AI does not fulfill legal obligations around the risks,” said Ahmed Abbas of Digital Macro Strategy Corporation. “It only morphs it into another form of risk and creates a higher opportunity for false positives. Most legal systems have caught up to how tick-the-box exercises don't stack up.”

Please listen to the full episode on your favorite podcast app, or over on our blog where you can read the full transcript. If you’re not already subscribed to the Defense in Depth podcast, please go ahead and subscribe now.

Huge thanks to our sponsor, Scrut Automation

Subscribe
Subscribe to Defense in Depth podcast

Please subscribe via Apple Podcasts, Spotify, YouTube Music, Amazon Music, Pocket Casts, RSS, or just type "Defense in Depth" into your favorite podcast app.

Super Cyber Fridays!
Join us NEXT Friday [04-11-25], for "Hacking Social Engineering"

Please join us on Friday, April 11, 2025, for “Hacking Social Engineering: An hour of critical thinking about how a lack of controls is setting us up for financial loss.”

It all begins at 1 PM ET/10 AM PT on Friday, April 11, 2025 with guest Michael Scott, CMO, Trustmi, and Phil Beyer, Head of Security, Flex. We'll have fun conversation and games, plus at the end of the hour (2 PM ET/11 AM PT) we'll do our meetup.

Register

Thanks to our sponsor, TrustMi

Security You Should Know
Securing the Software Supply Chain with HeroDevs

Open source is a bedrock of modern enterprise software. But support for various components is all over the place. The ecosystem doesn’t have the right incentives in place, leading to end-of-life security issues many organizations aren’t ready to address. When community support for open-source components dries up over time, what is your recourse?

In this episode, Aaron Frost, founder and CEO, HeroDevs, discusses how HeroDevs is addressing this problem by providing secure, drop-in replacements to give enterprises the time they need to safely transition to supported software. Aaron is joined by our panelists, DJ Schleen, head of security, Boats Group, and Russ Ayres, deputy CISO & head of cyber, Equifax.

Please listen to the full episode on your favorite podcast app, or over on our blog where you can read the full transcript. If you’re not already subscribed to the Security You Should Know podcast, please go ahead and subscribe now.

BIG Thanks to our sponsor, HeroDevs

LIVE!
Cyber Security Headlines - Week in Review

Make sure you register on YouTube to join the LIVE "Week In Review" this Friday for Cyber Security Headlines with CISO Series reporter Richard Stroffolino. We do it this and every Friday at 3:30 PM ET/12:30 PM PT for a short 20-minute discussion of the week's cyber news. Our guest will be Howard Holton, COO and industry analyst, GigaOm.

Thanks to our Cyber Security Headlines sponsor, Qualys

Cyber chatter from around the web...
Jump in on these conversations

"Now that I have worked as a one man SOC whats next" (More here)

"What is the real value of threat modeling?" (More here)

"Experience cyber pros: What are the most common tech and cyber terms that you have to regularly explain?" (More here)

Coming Up On Super Cyber Friday...
Coming up in the weeks ahead on Super Cyber Friday we have:

• [04-11-25] Hacking Social Engineering

• [04-18-25] Hacking the Evolving DDoS

 Save your spot and register for them all now!

Thank you!
Thank you for supporting CISO Series and all our programming

We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!

Everything is available at cisoseries.com.

Interested in sponsorship, contact me, David Spark.