Blog
Third-Party Data Breaches
The global economy has never been more invested in supply chain security. Organisations are pouring billions of dollars into Third-Party Risk Management (TPRM) programmes, hiring specialised teams, and deploying sophisticated procurement platforms. Yet, we find ourselves in a startling paradox: despite record-high spending and increased board-level scrutiny, supply chain breaches are reaching an all-time high in both frequency and catastrophic impact.
This disconnect suggests that the "TPRM problem" is not a result of insufficient budget or lack of effort. Rather, we are witnessing a fundamental structural failure.
The modern business ecosystem is a living, breathing, hyper-connected network of real-time digital relationships and cascading dependencies. However, the framework we use to secure it remains stubbornly rooted in the past. We are attempting to defend a dynamic, three-dimensional web using a static, siloed, and linear approach. By treating security as a periodic administrative hurdle rather than a continuous collaborative process, traditional TPRM has become a "billion-dollar blind spot"—a system that generates a mountain of paperwork but provides almost no real-world protection against modern, automated threat actors.
The first major crack in the foundation of traditional TPRM is the absence of a standardised assessment framework. In almost every other high-stakes industry—from aviation to finance—there is a common language used to measure safety and risk. In TPRM, however, we have an "every organisation for itself" mentality that creates a massive, unsustainable research burden. Because there is no centrally updated, industry-wide standard, every organisation is forced to act as its own security research body. In-house teams must spend hundreds of hours independently tracking shifting global regulations like DORA, NIS2, and GDPR, while simultaneously attempting to account for a hyper-mutating threat landscape filled with AI-driven exploits and zero-day vulnerabilities.
This lack of a “single source of truth” creates a staggering effort gap where the industry is trapped in a cycle of redundant administrative labour. When a thousand different companies independently update their bespoke spreadsheets to reflect the same new regulation, they are wasting collective intelligence on basic maintenance rather than active defence. This leads directly to a state of version fragmentation; when two different companies assess the same supplier, they are often measuring against two different "versions" of the truth. One company may be asking about the latest supply chain poisoning techniques, while another is still relying on a template that hasn't been refreshed in eighteen months.
The ultimate result of this maintenance dilemma is a dangerous time lag. In an era where a new or pre-existing vulnerability can be exploited at any time, the traditional model of manually researching, updating, and re-distributing a custom questionnaire is a relic of a much slower age. It transforms security professionals into accidental researchers, forcing them to spend their time chasing the tail of global regulation rather than managing risk. By the time a new threat is finally codified into an assessment, the adversary has likely already moved on, leaving the organisation perpetually and structurally one step behind.
The traditional TPRM process operates on the flawed assumption that a supplier’s security posture is a static quality that can be captured and preserved. In reality, a questionnaire response is "expired" the moment the "submit" button is clicked. It represents a single, fleeting moment in time—a snapshot of a vendor’s environment that is immediately subjected to the volatility of a modern digital business. In the hours following that assessment, a developer might push a new code update, a cloud configuration could be accidentally altered, or a fresh sub-processor could be added to the stack. None of these events, which represent the actual front lines of risk, are captured by a static document sitting in a procurement database.
This reliance on periodic reviews creates what can only be described as a "compliance window." For a brief period once a year, or perhaps every two years, an organisation manages its risk on paper to satisfy the requirements of an audit. However, this is followed by months of total operational blindness. While the risk profile of the supplier changes daily due to human failure, shadow IT, or shifting infrastructure, the client remains tethered to a piece of historical data that bears little resemblance to current reality. It is the digital equivalent of checking a building’s fire alarm once a decade and assuming the structure is safe every day in between.
Perhaps most damaging is that this "fire and forget" interrogation kills the possibility of meaningful collaboration. Traditional TPRM is built as a one-way street: the client asks, and the supplier answers. There is no mechanism for an ongoing, collaborative security dialogue that reflects the true nature of their partnership. Instead of security teams working together to defend a shared perimeter against a common foe, they are trapped in a cycle of formal, adversarial evidence-gathering. By the time a real-time failure occurs, the "snapshot" has long since faded, leaving both parties with a false sense of security that provides no protection when the crisis actually hits.
The structural failure of traditional TPRM is perhaps most evident in its narrow field of vision. Most programmes suffer from a visibility problem, where it drops off a cliff immediately past direct, Tier 1 suppliers. While an organisation may feel secure because it has vetted its immediate partners, it remains blissfully unaware of the complex web of sub-processors and N-th party dependencies that sit just beneath the surface. In a modern economy where software and infrastructure are built upon layers of external APIs and cloud services, the true risk often lies three or four links down the chain—well beyond the reach of a standard questionnaire.
This lack of network visibility creates a massive, unmanaged concentration risk. Without a way to map the entire ecosystem, organisations are systemically blind to hidden dependencies. It is entirely possible, and indeed common, for a dozen of an organisation’s "critical" vendors to all rely on the same single, vulnerable 4th-party data center or software library. When that single point of failure is breached, it triggers a catastrophic "house of cards" effect that traditional TPRM is powerless to predict or prevent. By focusing only on the direct relationship, companies are effectively locking their front door while leaving the communal foundation of the entire neighborhood exposed.
Furthermore, this siloed approach creates a systemic blind spot that affects entire industries. Peer organisations often share the same underlying suppliers, particularly smaller, niche providers that offer specialised technical services. Because traditional TPRM treats every assessment as a private, isolated event, there is no way for these organisations to identify when they are all leaning on the same weak pillar. If one of these shared suppliers is compromised, the lack of collective visibility ensures that the entire industry remains vulnerable to the same single point of failure. We are effectively defending a fortress in total isolation, unaware that our neighbours are being breached through the very same tunnels we use every day.
The administrative weight of the traditional model has created a secondary crisis: a total erosion of data quality driven by assessment fatigue. High-value suppliers, particularly those providing critical digital infrastructure, are now inundated with thousands of nearly identical but technically distinct spreadsheets from every client in their portfolio. When a security team is forced to answer five hundred variations of the question "Do you have a password policy?", the process ceases to be a meaningful security review and devolves into a desperate race to clear an inbox. This leads to a "copy-paste" culture where suppliers prioritise administrative completion over honest, nuanced security reflection.
This dynamic creates a destructive zero-sum game for the entire industry. Currently, hundreds of organisations are simultaneously spending thousands of hours assessing the same major service providers in total isolation. There is no shared utility or mutual recognition of effort; instead, a massive amount of technical talent is wasted on redundant data entry and verification. We have reached a point where some of the world’s most talented security professionals have been effectively relegated to the role of "spreadsheet administrators." Instead of hunting for threats, building resilient architectures, or focusing on active remediation, these experts are trapped in a cycle of manual data processing that adds almost no defensive value.
The ultimate cost of this lack of engagement is the death of genuine security partnership. Because the process is so exhausting and repetitive, the relationship between client and supplier becomes transactional and often adversarial. Suppliers learn to provide the "minimum viable answer" to satisfy a procurement gatekeeper, while clients struggle to extract any actionable intelligence from a sea of generic "Yes" and "No" responses. By draining the human capital out of the process and replacing it with bureaucratic friction, traditional TPRM ensures that by the time an assessment is actually finished, the security teams on both sides are too depleted to do anything with the results.
One of the most profound ironies of traditional TPRM is that it treats security data as a "private secret" to be guarded behind strict Non-Disclosure Agreements (NDAs). While this practice is designed to protect a company’s reputation, it creates a structural transparency paradox that directly benefits the attacker. In the current model, a critical vulnerability or a "near-miss" discovered by one organisation stays trapped within a static PDF or a locked procurement portal. There is no mechanism to alert the rest of the ecosystem. Consequently, while the defenders remain silent, the adversary is under no such restriction.
On the dark web and in specialised forums, attackers operate with a high degree of collaboration, freely sharing intelligence on which suppliers are vulnerable and which entry points are most effective. This creates a massive adversarial advantage: the "bad guys" only have to solve the puzzle once to hit an entire industry, whereas the "good guys" must each solve the same puzzle in total isolation. By culturally, and in some cases even legally, barring defenders from sharing supplier risk data with their peers, traditional TPRM inadvertently provides a "safe haven" for systemic risks to linger and spread.
This vacuum of transparency also poisons the relationship between the client and the supplier. Because there is no platform for real-time, bidirectional interaction, the security teams on both sides exist in a state of mutual suspicion rather than joint defence. The relationship is characterised by an interrogation-style dynamic where the supplier fears that total honesty will lead to a lost contract, and the client fears that the supplier is hiding critical flaws. This adversarial standoff prevents the very thing required to stop modern breaches: a unified, collaborative front against a common foe. Without a shift toward open, real-time intelligence sharing, the defenders will continue to fight a coordinated enemy with a fragmented and siloed defence strategy.
The structural failures of traditional TPRM do not just affect the relationship between companies; they create profound dysfunction within the organisation itself. Because the process is so manual, slow, and data-heavy, TPRM is often relegated to a procurement or legal silo. In this environment, it is treated as a gatekeeping exercise—a "checkbox" that must be cleared before a contract can be signed—rather than an integrated component of Security Operations (SecOps). This creates a fundamental misalignment of incentives: procurement teams are measured by the speed of onboarding, while security teams are tasked with a review process that is inherently slow and friction-filled.
This friction creates a significant "speed penalty" for the business. When an internal team needs a new software tool to remain competitive, they are often met with a TPRM process that can take weeks or even months to complete. This delay incentivises business units to bypass security protocols entirely, leading to a surge in Shadow IT. Employees begin using unvetted SaaS applications and third-party services behind the back of the security team, creating an unmanaged and invisible attack surface. The very system designed to protect the organisation ends up driving risk into the shadows because it cannot move at the pace of modern business.
Ultimately, traditional TPRM turns the security department into the "Business Blocker." Instead of being a partner that enables safe growth, the security team becomes a bureaucratic hurdle to be avoided. This internal friction erodes the culture of security within the company and ensures that TPRM remains a detached, administrative function rather than a real-time defensive capability. By failing to integrate with the way modern businesses actually work, the traditional model ensures that security is always an afterthought, arriving too late to influence the decision-making process.
The inescapable reality is that the traditional TPRM model has reached its mathematical and logical breaking point. As organisations shift from a handful of on-premise vendors to hundreds, or even thousands, of interconnected SaaS dependencies, the "human-led spreadsheet" is no longer a viable tool for defence. It is a relic of a simpler era, being applied to a world of unprecedented complexity. We have reached the limits of what manual data entry and periodic reviews can achieve; to continue down this path is to double down on a system that is failing by design.
Ultimately, traditional TPRM has devolved into a form of "Compliance Theatre." It is an expensive, resource-heavy exercise in liability transfer that is designed to satisfy auditors and provide legal cover, but it provides almost no resistance to a sophisticated cyber attack. It creates a comfortable illusion of control while leaving the back door to the enterprise wide open through the N-th party supply chain. We are spending more than ever to build a paper fortress, ignoring the fact that the digital landscape outside has already shifted to a model of continuous, automated warfare.
We cannot fix a foundation that was never built for a networked world. The industry must move beyond the era of static interrogation and enter an era of dynamic, collective defence. This requires a fundamental shift in architecture—away from siloed lists and toward real-time network visibility; away from proprietary spreadsheets and toward standardised, shared intelligence; away from broken TPRM and toward Active Supply Chain Security.
Monthly research, case studies and practical guides you won't find anywhere else.
Join thousands of security managers turning their TPRM programmes into success stories.
