Peer-Driven Insights

Third Party Risk Management (TPRM)

Community Posts

What models are in place for risk partners based in Line 2? What are the jobs to be done? How do they operate? What does the structure/operating rythms look like?

Read More Comments

A common challenge in our risk-tiering framework for suppliers is that even the lowest risk tier still requires processing.
Has anyone implemented a "not relevant" risk tier in their model?
This tier would apply to vendors posing genuinely negligible security risk.

Apart from applying the patches just released, what other mitigation tactics are you using to address the zero-day SharePoint vulnerabilities impacting on-premises servers?

“Risk needs to be quantified in monetary value.”

Strongly agree21%

Agree58%

Neutral15%

Disagree2%

Strongly disagree

Other (explain in the comments)

View Results

Thoughts on the recent alleged breach of Oracle Cloud’s login servers? What are your initial reactions to Oracle’s denial of the breach now that some customers have validated the leaked data?

Read More Comments

What processes do you rely on to address risks from rogue cloud tenants that the security team doesn’t have visibility of?

Read More Comments

Are you confident in your software supply chain security strategy?

Very confident18%

Somewhat confident66%

Somewhat unconfident13%

Not at all confident2%

Other (explain in the comments)

View Results

What are the main hurdles you face when verifying a CSP’s compliance and security measures after an update? How are you addressing these issues so far?

Has anyone moved to a third party support for Hyperion (like Rimini Street)? If so, what pitfalls should we look out for and would you recommend it if we are 2-3 years from moving to a new solution?

What are the main 10 features requested in a GRC platform?

Read More Comments

Are organizations managing IT security internally, or are they outsourcing to specialized security companies?

If they are outsourcing, how do they ensure the security vendor can handle all potential threats and vulnerabilities?

Read More Comments

What metrics are most useful for measuring 3rd party risk?

Read More Comments

How do you ask your third parties to notify you if they have had a cyber incident? Does your process work efficiently?

Read More Comments

How are you assessing the security posture of third-party APIs the business relies on? What criteria do you use currently?

Read More Comments

How often does procurement include cyber risk assessment requirements in their engagement requests?

Always20%

Often40%

Sometimes24%

Rarely12%

Never1%

Not sure

View Results

When it comes to pros/cons of shadow IT, does your POV on this change for GenAI apps? Are there more pros outweighing the cons in those cases, or is it just too risky to be beneficial?

Read More Comments

Community Posts

What models are in place for risk partners based in Line 2? What are the jobs to be done? How do they operate? What does the structure/operating rythms look like?

A common challenge in our risk-tiering framework for suppliers is that even the lowest risk tier still requires processing.Has anyone implemented a "not relevant" risk tier in their model?This tier would apply to vendors posing genuinely negligible security risk.

Apart from applying the patches just released, what other mitigation tactics are you using to address the zero-day SharePoint vulnerabilities impacting on-premises servers?

“Risk needs to be quantified in monetary value.”

Thoughts on the recent alleged breach of Oracle Cloud’s login servers? What are your initial reactions to Oracle’s denial of the breach now that some customers have validated the leaked data?

What processes do you rely on to address risks from rogue cloud tenants that the security team doesn’t have visibility of?

Are you confident in your software supply chain security strategy?

What are the main hurdles you face when verifying a CSP’s compliance and security measures after an update? How are you addressing these issues so far?

Has anyone moved to a third party support for Hyperion (like Rimini Street)? If so, what pitfalls should we look out for and would you recommend it if we are 2-3 years from moving to a new solution?

What are the main 10 features requested in a GRC platform?

Are organizations managing IT security internally, or are they outsourcing to specialized security companies?If they are outsourcing, how do they ensure the security vendor can handle all potential threats and vulnerabilities?

What metrics are most useful for measuring 3rd party risk?

How do you ask your third parties to notify you if they have had a cyber incident? Does your process work efficiently?

How are you assessing the security posture of third-party APIs the business relies on? What criteria do you use currently?

How often does procurement include cyber risk assessment requirements in their engagement requests?

When it comes to pros/cons of shadow IT, does your POV on this change for GenAI apps? Are there more pros outweighing the cons in those cases, or is it just too risky to be beneficial?

Community Posts

What models are in place for risk partners based in Line 2? What are the jobs to be done? How do they operate? What does the structure/operating rythms look like?

A common challenge in our risk-tiering framework for suppliers is that even the lowest risk tier still requires processing.Has anyone implemented a "not relevant" risk tier in their model?This tier would apply to vendors posing genuinely negligible security risk.

Apart from applying the patches just released, what other mitigation tactics are you using to address the zero-day SharePoint vulnerabilities impacting on-premises servers?

“Risk needs to be quantified in monetary value.”

Thoughts on the recent alleged breach of Oracle Cloud’s login servers? What are your initial reactions to Oracle’s denial of the breach now that some customers have validated the leaked data?

What processes do you rely on to address risks from rogue cloud tenants that the security team doesn’t have visibility of?

Are you confident in your software supply chain security strategy?

What are the main hurdles you face when verifying a CSP’s compliance and security measures after an update? How are you addressing these issues so far?

Has anyone moved to a third party support for Hyperion (like Rimini Street)? If so, what pitfalls should we look out for and would you recommend it if we are 2-3 years from moving to a new solution?

What are the main 10 features requested in a GRC platform?

Are organizations managing IT security internally, or are they outsourcing to specialized security companies?If they are outsourcing, how do they ensure the security vendor can handle all potential threats and vulnerabilities?

What metrics are most useful for measuring 3rd party risk?

How do you ask your third parties to notify you if they have had a cyber incident? Does your process work efficiently?

How are you assessing the security posture of third-party APIs the business relies on? What criteria do you use currently?

How often does procurement include cyber risk assessment requirements in their engagement requests?

When it comes to pros/cons of shadow IT, does your POV on this change for GenAI apps? Are there more pros outweighing the cons in those cases, or is it just too risky to be beneficial?

A common challenge in our risk-tiering framework for suppliers is that even the lowest risk tier still requires processing.
Has anyone implemented a "not relevant" risk tier in their model?
This tier would apply to vendors posing genuinely negligible security risk.

Are organizations managing IT security internally, or are they outsourcing to specialized security companies?

If they are outsourcing, how do they ensure the security vendor can handle all potential threats and vulnerabilities?

A common challenge in our risk-tiering framework for suppliers is that even the lowest risk tier still requires processing.
Has anyone implemented a "not relevant" risk tier in their model?
This tier would apply to vendors posing genuinely negligible security risk.

Are organizations managing IT security internally, or are they outsourcing to specialized security companies?

If they are outsourcing, how do they ensure the security vendor can handle all potential threats and vulnerabilities?