Vendor-Provided Resources

Do you have enough people to manage your vendor portfolio?

Most teams don't. They're managing 50, 100, 200+ vendors with a skeleton crew, patching together assessments between fire drills and audit prep. Traditional vendor assessment takes 20-30 hours per vendor annually. Your team is drowning in questionnaires while new vendors keep getting added.

This calculator shows you exactly where you stand. Input your vendor count, current staffing, and how often you reassess. You'll see your actual capacity utilization and whether you're underwater.

The results explain why vendor management always feels impossible: Assessments take 3+ weeks. Vendors don't have BCPs. Your analysts are maxed out. The math just doesn't work.

Use this before your next budget conversation. It shows what you're actually short and what automation could free up based on your specific situation.

Issue 15 of Connect Magazine offers a sharp year-in-review for risk professionals, bringing together the standout themes that shaped 2025. Featuring a curated selection of the year’s most-read articles, the issue captures a period defined by converging pressures - from geopolitical and regulatory shifts to AI acceleration, climate risk, and rising non-financial risk.

Inside, readers revisit the topics that dominated boardroom agendas, including global trade tensions, generative AI, climate stress testing, third-party risk, and the human factors influencing risk decisions, offering a concise snapshot of how the industry navigated a year of constant change.

Published in March 2025 in collaboration with CERTA, this CeFPro research examines the growing gaps in third-party risk management across financial services. The report highlights how outdated systems, manual processes, and stretched teams are increasing risk exposure and slowing compliance. Backed by data from leading financial institutions, it explores the disconnect between rising third-party risk complexity and the tools used to manage it, and how leading firms are closing the gap.

Explore the findings to understand how organisations are strengthening TPRM frameworks with greater efficiency and control.

Supplier Stability in Operational Resilience 2025 examines how financial institutions are strengthening resilience as regulatory expectations intensify. Drawing on joint research from Escode and CeFPro, the report highlights critical gaps in supplier risk ownership, cloud dependency, and continuity planning, and explores how software escrow is emerging as a key component of resilience assurance.

Explore the findings to understand where resilience frameworks are succeeding, and where greater accountability is still needed.

The financial sector relies on a complex web of technology providers—but many of these third parties present hidden and under-monitored cyber risks. Bitsight analyzed over 41,000 financial organizations and 50,000 vendor relationships to identify the most critical suppliers and assess their cybersecurity performance. The findings reveal systemic risk, poor security hygiene among key vendors, and significant monitoring gaps across the sector.

Key Takeaways

• Bitsight identified the 99 most critical third-party suppliers to the financial sector

• Some of the largest vendors have the weakest security performance

• Unmonitored suppliers have 2.9x more critical CVEs and 2.8x more KEVs

• Financial institutions monitor only 36.3% of their vendors on average

• Continuous monitoring correlates with improved visibility and stronger risk communication

Download the full report to understand where your greatest supply chain risks may be hiding—and how to proactively reduce exposure.

Build a third-party risk management framework that stands up to today’s threats—and tomorrow’s scrutiny.

Third-party risk is no longer just a cybersecurity issue—it’s a business imperative. As regulatory demands tighten and digital ecosystems expand, organizations need a third-party risk management framework that goes beyond checkbox assessments and ad hoc processes.

This eBook serves as your third-party risk management framework template—a structured, scalable guide to managing vendor and third-party cyber risk at every stage of the vendor lifecycle. You’ll discover how to build a defensible, data-driven program that enables visibility, accountability, and continuous improvement.

Whether you're starting from scratch or enhancing an existing third-party risk management program, you’ll learn how to strengthen assessments, streamline workflows, and foster cross-functional collaboration—all while ensuring defensibility and speed.

Is your vendor risk assessment process ready for the AI era?

Download this practical guide to modernizing how you evaluate third-party AI risk. Whether you're conducting a cybersecurity supply chain risk management review or onboarding new partners, this resource helps you dig deeper into how vendors govern, deploy, and secure AI technologies.

Thank you to everyone who participated in our vendor risk management research this fall. We analyzed responses from 64 organizations across financial services (59%), technology, healthcare, and manufacturing to identify critical gaps in third-party risk programs. Key findings reveal systematic weaknesses where organizations have implemented initial programs but failed to mature core capabilities:

• 68.8% lack formal BCP support for vendors
  47.2% operate with minimal or reactive monitoring

• 41.9% have no formal resilience scoring methodology

• 37.5% face significant assessment delays (5+ weeks)
  

We've organized the complete analysis into five focused reports so you can prioritize topics most relevant to your organization. 

Each report includes detailed findings, industry-specific implications, regulatory context, and actionable solutions.

Select your priority reports here: https://continuitystrength.com/vendormgmtsurvey-2025-published-tpra

Looking forward to your feedback on the findings.

A leading global asset management firm manages trillions of dollars across offices on multiple continents. Its network relies on thousands of third-party devices, including firewalls, virtual private network (VPN) concentrators, branch routers, security cameras, and network access control systems. Despite a mature vulnerability management program, the firm lacked automated visibility into the device software and component inventory inside these systems. Vendor documentation was incomplete, and manual audits were time-consuming and inconsistent.

Most organizations trust their SBOMs and vulnerability scanners to reflect what’s running in production — but they don’t. In this RSA Conference session, Craig Heffner, Senior Staff Engineer at NetRise and creator of Binwalk, exposes how hidden dependencies and build-time decisions introduce vulnerabilities invisible to traditional security tools.

Drawing from real-world case studies, the talk reveals how manifest-based scanning reflects intent, not reality — and how Binary Composition Analysis (BCA) exposes what’s truly compiled into your software.

The software supply chain is more fragile than most realize. In this ThreatCon keynote, NetRise Co-Founder and CEO Thomas Pace shares large-scale evidence from millions of analyzed binaries, firmware images, and software artifacts — revealing systemic risks that traditional AppSec tools overlook.

Learn why visibility into compiled code is the key to building true software assurance — and how NetRise is helping organizations uncover and address hidden vulnerabilities before they become front-page news.

Gain visibility beyond vendor questionnaires. See how NetRise reveals hidden software risk and strengthens third-party risk management programs.