“Who still relies on spreadsheets to manage their suppliers? Who only performs third-party risk management once a year? And who finds it challenging to engage business stakeholders throughout the process?”
These three questions from Diligent’s Jelle Groenendaal, Co-founder of the firm’s 3rdRisk business, elicited raised hands and nods all round during another fascinating RANT roundtable. No one likes managing suppliers. But it’s an increasingly critical endeavour. According to BlueVoyant’s 2025 State of Supply Chain Defense report, 97% of global organisations experienced at least one supply chain breach in 2025 — up from 81% the prior year.
The stakes don’t come much higher than the supply chain of a nuclear submarine. That’s the world that guest speaker Helen Quinlan, Head of Cyber Risk at BAE Systems, lives in. She admitted that it can be “mind bogglingly” complex.
“We have a large and complex supply chain. One of the main complexities is around the continuous monitoring of suppliers,” she said. It would be a matter of national security if the ownership of a key supplier was transferred to a hostile nation, for example, Quinlan explained.
It’s not just about the ownership of vendor partners but also access to critical services that security leaders must consider when evaluating suppliers, suggested another attendee.
“There’s a lot more geopolitical instability than we’ve had in my lifetime; so every company from a resilience perspective has an interest in considering what happens if a critical service or resource or component is suddenly denied for geopolitical reasons,” they argued. “The supply chain plays a significant part in an organisation’s resilience.”
The security leaders around the table shared various approaches to TPRM. One said they build disclosure rules regarding “material changes” into contracts — which meant that, when a legal supplier was hit by ransomware, they had to disclose.
Another advocated “defence in depth”, including questionnaires, continuous monitoring, contractual clauses and incident response testing. Diligent GRC Sales Director, Tom Ryan, added that AI-powered third-party risk intelligence is useful because scorecard-based systems often don’t pick up the reality of what’s happening inside a supplier.
“Everything looked really good, but our AI monitoring found employees complaining about the culture, about the practices of their information security team, on a forum,” he explained of one customer engagement. “That’s not what the company is showing to the world.”
Another CISO sat around the table bemoaned the “scorecard complacency” of many organisations. “Scorecards look wonderfully green until you cut through and they’re red in the middle,” they said.
Most attendees agreed that questionnaires should just be the starting point; a first stage in a multi-layered TPRM process. But they can be made more insightful with the addition of AI tooling to analyse not just the answers themselves but also how questions were answered to flag risk indicators.
“It’s not perfect, but if you’re able to capture the data there are ways to be able to spot indications of misinformation and fake evidence,” said one CISO.
Engagement was a recurring theme on the night — both in terms of communicating with the business and reaching out to suppliers. One security leader complained that their suppliers are mainly “one-man bands” with limited cyber awareness, which makes it difficult to gain true visibility into risk. Another, who works in manufacturing, said it’s also challenging to engage when faced with a culture of “I know how to run my factory”.
A third CISO argued that collaboration with business leaders internally is essential.
“You can’t do it if you’re locked in a cupboard all day. They’re the only ones who can assess how critical a supplier is,” they said.
However, sometimes suppliers are so big that they refuse to engage with questionnaire-led TPRM efforts. Several security leaders bemoaned the larger SaaS players that simply direct such requests to their “trust centre”. “It’s hard to get the nuanced answers I need this way,” said one. Another suggested, “It’s not necessarily the big [SaaS] suppliers I worry about, it’s the next tier down.”
However, if the big SaaS players don’t answer, you can always work out a backup plan, suggested one senior security leader, explaining that IR tabletop and real-time simulation exercises are often offered as part of their engagement. Among other things, this can help find the gaps between what a supplier expects a partner will do during an incident and vice versa, one attendee said.
However, another bemoaned tabletop exercises featuring overzealous participants with a “Tom Clancy complex” that try to create impossible series of events to wargame. This ultimately undermines business confidence in the exercise, they argued, adding: “It has to be within the realms of possibility. It has to have value.”
Another said that, partly for these reasons, the security team clearly establishes up front an important rule: “Don’t challenge the scenario, take it as real.”
Yet most seemed to approve of the idea of incident response testing as a way to lower third-party risk.
“The problem is we’re never going to solve this problem because we’ll never have anything other than an opaque boundary with our suppliers. It comes down to trust, and the fact is we trust our suppliers far too much,” argued one CISO. “When we’re looking at our resilience, we don’t look at the ‘what-ifs’ and contingencies that we need to be able to deal with enough, particularly for the minimum viable business.”
Perhaps most important to effective TPRM is getting engagement from senior management, because if the board isn’t on board, money simply will not be made available for these initiatives. BAE Systems’ Quinlan asked how those around the table approach this.
One lesson that emerged from the discussion is that visibility must be the first step to driving this type of engagement. “We see near misses every other day,” shared one CISO. “We collect a lot of data which goes up to the board, so they are throwing money at it.”
Another argued that regulators make it important for the board, as does brand reputation and “how seriously the entity takes its business”. A £30m bank that “can’t afford to go down” is more likely to have a board receptive to TPRM as a critical exercise than smaller players, they suggested.
However, this isn’t always easy in larger conglomerates. One complained of “mixed signals” from the corporate group leadership and at the individual company level.
“At a group level it’s a huge focus. But the people that are paying for it on the ground say, ‘we know it’s really important, but we don’t have any money’,” they explained.
The good news is that tooling is improving to the point where AI can do much of the heavy lifting for teams, concluded Diligent’s Groenendaal. The right tools can remove the pain of spreadsheets, help risk leaders engage business executives through things like customised chatbots, and benefit from a “continuous multi-disciplinary overview of risk” with Diligent’s Third-Party Risk Management (3rdRisk) and broader enterprise risk management capabilities.
“I’ve worked with many systems myself and they’re all boring. You feel like you’re going back to the 90s,” they added. “But with AI there are so many things we can improve.”
Ready to simplify third-party risk management? Explore Diligent Third-Party Risk Management (3rdRisk) to centralize vendor oversight, automate assessments and continuously monitor supplier risk in one platform.
