blog-hero-background-image
Third Party Risk Management

How Should Enterprise CISOs Structure TPRM Teams?

backdrop
Table of Contents

Join thousands of professionals and get the latest insight on Compliance & Cybersecurity.


‘How do I mitigate vendor risks?’

That’s a common question in my chats with CISOs and IT executives. Being a tech enthusiast and as stressed in previous guides, my usual suggestion is: Leverage technology and streamlined processes to: 

These are all crucial factors.

But often, CISOs come back seeking help on how best to build and structure their third-party risk management (TPRM) teams. Each time this happens, I’m reminded of these words by Dave Buster: 

 

Dave Buster - Quote

 

Dave couldn’t say it better. The right TPRM framework, technology, and automated processes won’t work on their own. So to mitigate risks in our ever-expanding vendor landscape, you need: 

  1. A dedicated vendor risk management team
  2. An effective TPRM reporting structure

Starting with the latter, I’d cover both in this guide. 

 

Third-Party Risk Management Reporting Structure

Get the right people, and you can rest assured your vendor risk management program is in good hands. Design an effective reporting structure for your TPRM team, and you can be sure the right info reaches you (and the C-Suite) at the right time. 

The challenge: 

What should such a TPRM reporting structure look like? 

It ultimately depends on your organization type and overall size of your cybersecurity team. Generally though, experts recommend a centralized TPRM reporting structure:

 

centralized TPRM reporting structure

 

As illustrated above, a centralized structure eliminates silos and can be more effective for two reasons:

  1. The CISO and Senior Management get real-time insight into how subteams are implementing the TPRM program. 
  2. Subteams overseeing various aspects of your TPRM program can track teammates’ actions and act proactively.

If this reporting structure makes sense to you, as it does for most enterprise security execs, the next hurdle I often hear is: What are the roles and responsibilities of subteams dedicated to each step? 

The rest of this guide addresses that. As we proceed, you’ll also see how our interoperable cybersecurity platform helps enterprise security teams automate and report critical TPRM processes

Before we dive in… 

illustration background

Join SMSW

Join CISOs, CTOs, and enterprise security execs subscribed to Secure My Software Weekly (SMSW) for actionable cybersecurity, risk and compliance insights.

card image

Enterprise TPRM Team Roles and Responsibilities 

When filling critical roles in your TPRM team and assigning responsibilities, diversity is highly recommended. The Institute of Critical Infrastructure Technology, in a study titled, “The Business Value of a Diverse InfoSec Team,” reiterated this. 

According to their research

 

The-Institute-of-Critical-Infrastructure-Technology-ICIT

 

So while the centralized reporting structure above helps, it is crucial to keep diversity in mind as you fill the TPRM roles below. 

 

TPRM Program Director/Manager

This individual or team owns the TPRM program. 

High-performers have a balance of demonstrable risk management skills, extensive training, experience, and the ability to coordinate all subteams. They report to you, the CISO, and usually, their primary responsibilities would be to help you:

  • Champion and advocate for the maturity of your TPRM program and develop key partnerships across the org to ensure alignment with your company’s overall 3rd party strategy.
  • Design and oversee the implementation of your TPRM framework and operating procedures needed to integrate necessary security controls per your business functions. 
  • Establish relevant TPRM program metrics, Service Level Agreements (SLAs), Key Risk Indicators (KRIs), and Key Performance Indicators (KPIs) for managing all vendor risks. 
  • Design security guardrails for selecting vendors, and define security scores and controls 3rd parties must retain before they can be considered and let into your third-party ecosystem. 

 

Vendor Assessments & Onboarding Subteam

The core responsibility of specialist(s) on this subteam is enforcing the security guidelines defined by the TPRM Program Director, which new vendors must meet. Specifically, this includes: 

  • Vetting, profiling, and tiering vendors
  • Creating and implementing custom security audits or exams.
  • Choosing and right-sizing appropriate security assessment questionnaire templates for select vendors.
  • Onboarding vendors with acceptable security controls, etc. 

Imagine doing all that with this:

 

TPRM assessment Question

 

Josh Angert, Manager at Vendor Centric, observed how core functions of this subteam, if done manually with Excel, can lead to inconsistent vendor risk tiering, wasted time, and poor assessments. 

In his words:  

 

Josh Angert - Quote

 

As Josh advised, to curb vendor risk assessment bottlenecks, CISOs can leverage a vendor risk management system to standardize processes. 

That’s where Cyber Sierra comes in: 

 

vendor risk management system to standardize processes

 

As shown, our system streamlines the gruesome vendor tiering, assessment, and onboarding processes into three easy steps. For instance, your team can profile vendors based on their business type, location, and easily tier those requiring advanced assessments. 

illustration background

Automate Vendor Risk Assessments

Cyber Sierra streamlines crucial vendor assessment processes, so enterprise TPRM teams can compile reports faster.

card image

Vendor Risk Monitoring & Remediation Subteam

This subteam usually comprises risk detection and mitigation experts, each assigned to one or a group of vendors. They work closely with the security assessment subteam, share insights within each other, and report to the TPRM Program Director, or you, the CISO. 

Some core responsibilities include: 

  • Own assigned third-party vendors and manage their risks. 
  • Perform daily or weekly risk management tasks on assigned vendors, according to your company’s instituted TPRM program. 
  • Detect, mitigate, and report risks posed by third-parties, and work with them and the DevSecOps team to remediate the same. 
  • Flag third-parties that should be terminated, and in most cases, oversee the offboarding of flagged high-risk vendors. 

One way to empower this subteam is through software that enables ongoing vendor risk monitoring. This helps them identify vendors whose security controls become outdated and can’t be verified. 

Again, Cyber Sierra automates this: 

 

ongoing vendor risk monitoring

 

Our platform uses standardized enterprise security controls to auto-check evidence uploaded by vendors on an ongoing basis. As shown above, you get alerted of those that fail verification, flagging your team to immediately work with the vendor to enforce them. 

 

TPRM Program Auditors

According to Vikrant Rai

 

Vikranti Rai - Quote

 

In other words, having internal (and external) auditors is a must-have. They perform systematic evaluations of your company’s implemented TPRM framework, documentation, processes, and security controls. This enables them to document weaknesses that must be addressed and usually report directly to the CISOs, IT executives, and the TPRM Program Director/Manager. 

 

How Many People Should Be On My TPRM Team?

 There’s no magic number. 

Generally, the more vendors you manage, the more risk exposure your team may have to deal with, and the more people required. But all third-parties aren’t created equal. In a sample of, say, 200 vendors, only 5-10% (i.e., 10-20) may be high-risk or critical to your company’s operations. In a centralized reporting structure, where processes have been automated, 1-2 full-time employees (FTEs) on your risk monitoring and remediation subteam can manage such vendors closely, in addition to reviewing others occasionally. 

Going by this logic, the number of people you may need on your enterprise TPRM team should be around:

  • 1–3 FTEs for up to 200 vendors. 
  • 3–5 FTEs for 200 – 600 vendors. 
  • One (1) additional FTE for every 100–200 vendors beyond that. 

You may be wondering: 

How about the assessment and vendor onboarding subteam? 

Well, by automating processes with a tool like Cyber Sierra, your TPRM Director can vet, assess, and onboard vendors in a few steps because those critical to-dos have been streamlined. For instance, they can choose from standard security assessment questionnaires already built into our platform, customize per your company’s needs, and send to vendors: 

 

automating processes with a tool

 

Make Your TPRM Team More Effective

In a cybersecurity survey reported by Graphus:

 

cybersecurity survey reported by Graphus

 

This finding proves that, irrespective of how many full-time employees (FTEs) on your TPRM team or reporting structure, automation is needed to make them more effective.  

Third-party risk expert, Ian Terry, agrees

 

Ian Terry - Quote

 

We built Cyber Sierra to enable enterprise TPRM teams to achieve this needed automation and become more effective. From tiering critical vendors to continuous security assessments, and ongoing risk monitoring, our platform automates the steps required. 

Want to see it for yourself? 

illustration background

Automate Crucial Vendor Risk Management Process

Cyber Sierra streamlines crucial vendor assessment processes, so enterprise TPRM teams can compile reports faster.

card image
  • Third Party Risk Management
  • CISOs
  • CTOs
  • Cybersecurity Enthusiasts
  • Enterprise Leaders
  • Startup Founders
Pramodh Rai

Meet Pramodh Rai, a technology aficionado and Cyber Sierra's co-founder, whose zest for innovation is fuelled by a cupboard stacked with zero-sugar Redbull. With a nimble footwork through the tech tulips across Asia Pacific, he's donned hats at Hmlet (the proptech kind) and Funding Societies | Modalku, building high-performing teams and technologies. A Barclays prodigy with dual degrees from Nanyang Technological University, Pramodh is a treasure trove of wisdom, dad jokes, and everything product/tech. He's the Sherpa in sneakers you need.

A weekly newsletter sharing actionable tips for CTOs & CISOs to secure their software.


Thank you for subscribing!

Please check your email to confirm your email address.

Find out how we can assist you in
completing your compliance journey.

toaster icon

Thank you for reaching out to us!

We will get back to you soon.