How often does procurement include cyber risk assessment requirements in their engagement requests?

Security Strategy & RoadmapThird Party Risk Management (TPRM)

Always20%

Often40%

Sometimes24%

Rarely12%

Never1%

Not sure

427 PARTICIPANTS
3.1k viewscircle icon1 Comment
Sort by:
CTO2 years ago

It depends on the size of the business. In my experience, most of the publicly listed companies' procurement team will have this requirement as part of due diligence of vendor onboarding process. 

For private companies, it depends on the size and agility of the business that matters the most. 

Another driver for this requirement comes from regulatory compliance side and that too depends on which sector the company is operating.

Content you might like

How does your cyber compliance team stay informed about new and changing regulations impacting your organization's compliance? Additionally, how are cyber compliance teams tracking, measuring and reporting on internal compliance?

User experience should not be a priority in the context of security — do you agree?

Strongly agree10%

Agree57%

Neutral11%

Disagree13%

Strongly disagree6%

View Results

How are you currently leveraging your cyber-risk quantification methodologies at your organization?

Prioritizing cyber risks43%

Communicating to risk owners64%

Communicating to C-Suite56%

Communicating to Board24%

Aligning cyber risks with other risk practices15%

View Results

‘AI’ Business Model – With many components flowing into the AI domain (cost, data, E&C, people, value, strategy, duplication of everything, etc.), I’ve started to think about splitting out ‘AI’ from the operating model and putting it into a separate legal entity. This way, I could manage a) risk and compliance, b) cost, c) resource allocation, d) governance, e) IP, f) revenue generation, etc.

Of course, this isn’t new in general, but I’m especially interested in how this approach could help with the ongoing challenge of ensuring compliance with data privacy and regulations related to LLMs and data access/usage over time.

My question: Is anyone else thinking about this, or has anyone already done it? I know there are examples in the literature, but I wanted to float this here for general comments and discussion.

What models are in place for risk partners based in Line 2? What are the jobs to be done? How do they operate? What does the structure/operating rythms look like?

Read More Comments