Supply chain cybersecurity faces mounting pressure, with over 60% of organisations experiencing breaches tied to their third-party suppliers. Unfortunately, traditional Third-Party Risk Management (TPRM) tends to compound this vulnerability via a lack of collaboration between clients and their suppliers.
In this second article in our series exploring the human and collaborative challenges within TPRM—and the pathways to resolve them—we turn our attention to suppliers. Strengthening collaboration with these critical partners offers a practical solution to the inefficiencies and isolation that hinder effective risk management, delivering measurable improvements in security.
The Current State of Affairs: How TPRM Treats Suppliers
Today, companies tend to view their suppliers as risks, rather than security enablers. Because of this, there is an industry-wide trend of approaching TPRM as a one-to-one security assurance exercise - essentially, where a company audits each of their suppliers on an individual basis.
This approach, while necessary, can also foster tensions rather than create trust, as is the nature of an assurance process to be rooted in a culture that inherently considers suppliers as potential cyber risk factors. Since assessments are also commonly conducted during onboarding, suppliers oftentimes rely on procurement or sales professionals involved in the onboarding processes to relay security questions internally. This means that security teams at organisations hoping to ensure the security of their suppliers, are not commonly brought into direct contact with the security teams at these suppliers, which impacts effective risk management and prevents the building of strong relationships that can be nurtured and would be highly beneficial over time.
What’s more, this isolated approach to TPRM, where each client assesses their suppliers individually, creates constant tension for suppliers in that they are constantly in need of answering numerous different security surveys for their different clients. This, in turn, leads to strained resources and ultimately responses to the security assessment that are done in haste and potentially with insufficient care given to them.
This then creates a domino effect where clients must spend excessive time validating answers and chasing evidence, often without even having the correct contact information of the relevant team or function on the supplier side.
The sheer volume of requests also means suppliers are forced to prioritise—reserving their limited time and attention for a small number of high-value clients, often leaving other assessment requests delayed or incomplete.
What Needs to Happen to Improve the Situation
To turn this around, there needs to be a paradigm shift in the client-supplier TPRM relationship, one in which suppliers are treated as partners and security enablers, not inherent liabilities. This starts with building direct relationships with suppliers’ security teams.
By knowing precisely whom to contact—whether to seek clarification on a control, or coordinate an urgent response to a new vulnerability — creates a reliable channel for dialogue, ensuring that security concerns are addressed by those best equipped to handle them.
Furthermore, organisations have an opportunity (and some might even say a responsibility), to support smaller suppliers in strengthening their security practices. These suppliers, many often resource-constrained, may lack the expertise or tools to meet rigorous standards independently.
In such cases, rather than penalising them for deficiencies, organisations can offer guidance. This proactive support shifts the dynamic from blame to improvement, demonstrating to suppliers that their client wants them to succeed, and that they are willing to assist in ensuring the vendor can institute up-to-date cybersecurity practices and meet expectations.
Overcoming Key TPRM Shortcomings Through Enhanced Collaboration with Suppliers
As we’ve said, developing strong relationships with suppliers, in particular their security teams, offers a range of advantages that directly address the most persistent shortcomings with traditional TPRM. When a new threat surfaces, having direct access to those teams enables organisations to obtain critical information far more rapidly than through conventional channels.
Beyond speed, these relationships help build a level of trust that encourages suppliers to share valuable insights about their own supply chains, an openness which provides a clearer view into the extended network of dependencies and risks, including those stemming from fourth and fifth parties that might otherwise go unnoticed.
Furthermore, collaboration also enhances overall engagement and responsiveness. When suppliers are treated as partners, they tend to respond with greater care and commitment. The result is a more reliable exchange of information, grounded in mutual respect rather than obligation.
Another significant benefit lies in the ease of maintaining continuous oversight of suppliers’ security postures. With open, regular communication, organisations can readily reach out to verify details or request additional clarification whenever uncertainty arises about a control’s status. This ongoing dialogue surpasses the limitations of static, point-in-time assessments, offering a dynamic and up-to-date perspective that keeps pace with evolving risks.
Perhaps most compelling is the enhanced ability to detect and prevent supply chain vulnerabilities through joint efforts. Working closely with suppliers allows both parties to proactively identify potential weaknesses—whether in processes, systems, or policies—and address them before they can be exploited. This collaborative approach both reduces immediate risks while contributing to a stronger overall security posture for organisations and their suppliers alike.
The Benefits of Risk Ledger’s Social Network Approach
Risk Ledger has created the first active cyber defense network for supply chain security, uniting security teams from organisations, suppliers, and peers to collaboratively counter supply chain attacks. Unlike other TPRM solutions, this social network approach focuses on solving suppliers’ challenges, thereby improving outcomes for clients as well.
Suppliers join the platform for free and receive extensive support, including dedicated customer service and a comprehensive help section addressing common assessment questions. Rather than juggling countless bespoke questionnaires, suppliers complete one standardised assessment mapped to international standards like ISO 27001 or NIST.
Once completed, this assessment can be shared across multiple clients—both those already on the platform and external organisations not yet connected—removing the need to fill out hundreds of bespoke questionnaires and saving valuable time and resources.
For clients, the benefits are transformative. Security teams connect directly with supplier security counterparts via the platform, fostering real-time communication and trust. Need clarification on a control? A quick message resolves it. Worried about an emerging threat? You’ve got a direct line to ask. This connectivity replaces the old model of routing questions through procurement middlemen, cutting delays and building stronger relationships.
To make things even easier, Risk Ledger recently introduced a new “Quick Answer with AI” feature. This tool leverages uploaded security policies and certifications to intelligently suggest assessment responses—dramatically speeding up the process and reducing repetitive admin work for suppliers.
By creating an ecosystem that supports both clients and their suppliers, Risk Ledger makes it easier to work together, share knowledge, and respond to risk—faster, smarter, and at scale.
Conclusion
The shortcomings of traditional TPRM—inefficiency, distrust, and limited visibility—stem not least from a lack of collaboration between organisations and their suppliers. By treating suppliers as partners, establishing direct ties with their security teams, and embracing open data sharing, organisations can overcome these hurdles. The result is faster incident response, deeper supply chain insight, and a stronger collective defence against cyber threats. Risk Ledger’s social network approach makes this vision a reality, empowering security teams to work together seamlessly and turn suppliers into enablers of resilience.
In the final article in this series, we’ll explore how enhanced collaboration between organisations and their peers can further strengthen supply chain security outcomes.
