Sarah Trainor

One of our favorite sessions at RSAC 2023 was a session by Chris Castaldo, CISO of Crossbeam, and Brian Markham, CISO of EAB Global. “Your Third-Party Risk Management Program Is Bad and You Should Feel Bad” was a deep dive into the past, present, and future of Third-Party Risk Management (TPRM). The two CISOs discussed their perspectives on the current state of TPRM and how it could be better, including insights from their own experiences building TPRM programs. It’s an insightful talk, and a must-watch for any cybersecurity leader.

Check out the video here, or at the bottom of this post.

Here are a few of our big learnings and takeaways from the session:

Managing and understanding supply chain risk is more crucial than ever

Cyber attacks targeting software supply chains can result in significant data breaches, disrupting businesses and compromising sensitive information. Even a small disruption in the supply chain can have a major business impact, underscoring the need for robust risk management strategies. And the industry realizes this: just look at the NIST 800-53 framework as evidence. Mentions of “supply chain” have steadily grown with each new revision. In Rev. 5 (2020), “supply chain” is mentioned almost 250 times.

Chart showing mentions of "supply chain" in NIST 800-53 - SafeBase
Mentions of "Supply chain" in NIST 800-53 (Source: Chris Castaldo and Brian Markham)

Transparency is the future

It’s natural to be a little nervous about taking a transparent approach to security. But the very nature of software and web apps exposes organizations to potentially malicious actors every day. Transparently sharing security information with buyers does not increase that risk. It just makes everyone’s lives easier - buyers have to do less digging, while sellers save time. It’s a win-win.

In its current state, TPRM takes too many resources away from other aspects of security

Manually requesting, sending, reviewing, and asking questions about documents and security programs takes so much time. Lengthy custom questionnaires take effort to complete and often require repetitive answers to the same old questions. All-in-all, the manual nature of TPRM takes the security team away from actual security tasks that keep the company secure.

It’s important to audit your TPRM program and weigh time vs. value

Look at how much time and money you’re spending on TPRM, and ask yourself if the work is worth it. Are you just checking a box, or providing real value? Figure out how what minimum steps you can take to ensure the outcomes you need. The presenters offered some valuable guidance into this process in their presentation slides.

It’s time to do away with custom questionnaires in favor of better solutions

Time kills deals, and the current TPRM model and custom questionnaires introduce time-consuming roadblocks. At Crossbeam, Chris Castaldo has instituted a policy of “no security questionnaires ever,” in favor of more transparency, a system to rank vendors by risk, and a dramatically simplified series of review questions. As a result, sales cycles at Crossbeam have decreased by 7 days and security can enable deals rather than kill them in their tracks.

Slide showing what Crossbeam did for their vendors - SafeBase

The only way to improve the current state of TPRM is to realize we’re all part of the problem

As cybersecurity professionals, we can question the status quo when it comes to TPRM. Do you really need to send that custom questionnaire? Can you accept an industry standard one instead? Could your company be more transparent up front rather than keeping details of your security posture hidden?

If you aren’t thinking about TPRM, you should be

Your TPRM program doesn’t have to be perfect, but it should provide reasonable assurance to stakeholders. Look to due diligence programs for inspiration. Document your approach to TPRM, establish baseline procedures, and get your execs onboard. From there, it’s a matter of refining your approach and learning over time.


Check out the full session video below. And if you’re interested in being more transparent while automating the manual elements of your security review process, book a demo with SafeBase to learn more about our industry-leading Trust Center. SafeBase helps companies like Crossbeam, Asana, and OpenAI accelerate their security assessments, and we’d love to help your company, too.

SafeBase is the scalable Trust Center that automates the security review process between buyers and sellers. With a SafeBase Trust Center, companies can seamlessly share sensitive security documentation with buyers and customers, including streamlining the NDA signing process by integrating with your CRM and your data warehouse. 

If you’re ready to take back the time your team spends on security questionnaires, create a better buying experience, and position security as the revenue-driver it is, get in touch with us.