How Should Enterprise CISOs Structure TPRM Teams?

‘How do I mitigate vendor risks?’

That’s a common question in my chats with CISOs and IT executives. Being a tech enthusiast and as stressed in previous guides, my usual suggestion is: Leverage technology and streamlined processes to: 

• Implement the right TPRM framework
• Switch to continuous vendor assessments. And,
• Automate ongoing third-party risk monitoring.

These are all crucial factors.

But often, CISOs come back seeking help on how best to build and structure their third-party risk management (TPRM) teams. Each time this happens, I’m reminded of these words by Dave Buster: 

Dave couldn’t say it better. The right TPRM framework, technology, and automated processes won’t work on their own. So to mitigate risks in our ever-expanding vendor landscape, you need: 

1. A dedicated vendor risk management team
2. An effective TPRM reporting structure. 

Starting with the latter, I’d cover both in this guide. 

Third-Party Risk Management Reporting Structure

Get the right people, and you can rest assured your vendor risk management program is in good hands. Design an effective reporting structure for your TPRM team, and you can be sure the right info reaches you (and the C-Suite) at the right time. 

The challenge: 

What should such a TPRM reporting structure look like? 

It ultimately depends on your organization type and overall size of your cybersecurity team. Generally though, experts recommend a centralized TPRM reporting structure:

As illustrated above, a centralized structure eliminates silos and can be more effective for two reasons:

1. The CISO and Senior Management get real-time insight into how subteams are implementing the TPRM program. 
2. Subteams overseeing various aspects of your TPRM program can track teammates’ actions and act proactively.

If this reporting structure makes sense to you, as it does for most enterprise security execs, the next hurdle I often hear is: What are the roles and responsibilities of subteams dedicated to each step? 

The rest of this guide addresses that. As we proceed, you’ll also see how our interoperable cybersecurity platform helps enterprise security teams automate and report critical TPRM processes. 

Before we dive in… 

Enterprise TPRM Team Roles and Responsibilities 

When filling critical roles in your TPRM team and assigning responsibilities, diversity is highly recommended. The Institute of Critical Infrastructure Technology, in a study titled, “The Business Value of a Diverse InfoSec Team,” reiterated this. 

According to their research: 

So while the centralized reporting structure above helps, it is crucial to keep diversity in mind as you fill the TPRM roles below. 

TPRM Program Director/Manager

This individual or team owns the TPRM program. 

High-performers have a balance of demonstrable risk management skills, extensive training, experience, and the ability to coordinate all subteams. They report to you, the CISO, and usually, their primary responsibilities would be to help you:

• Champion and advocate for the maturity of your TPRM program and develop key partnerships across the org to ensure alignment with your company’s overall 3rd party strategy.
• Design and oversee the implementation of your TPRM framework and operating procedures needed to integrate necessary security controls per your business functions. 
• Establish relevant TPRM program metrics, Service Level Agreements (SLAs), Key Risk Indicators (KRIs), and Key Performance Indicators (KPIs) for managing all vendor risks. 
• Design security guardrails for selecting vendors, and define security scores and controls 3rd parties must retain before they can be considered and let into your third-party ecosystem. 

Vendor Assessments & Onboarding Subteam

The core responsibility of specialist(s) on this subteam is enforcing the security guidelines defined by the TPRM Program Director, which new vendors must meet. Specifically, this includes: 

• Vetting, profiling, and tiering vendors
• Creating and implementing custom security audits or exams.
• Choosing and right-sizing appropriate security assessment questionnaire templates for select vendors.
• Onboarding vendors with acceptable security controls, etc. 

Imagine doing all that with this:

Josh Angert, Manager at Vendor Centric, observed how core functions of this subteam, if done manually with Excel, can lead to inconsistent vendor risk tiering, wasted time, and poor assessments. 

In his words:  

As Josh advised, to curb vendor risk assessment bottlenecks, CISOs can leverage a vendor risk management system to standardize processes. 

That’s where Cyber Sierra comes in: 

As shown, our system streamlines the gruesome vendor tiering, assessment, and onboarding processes into three easy steps. For instance, your team can profile vendors based on their business type, location, and easily tier those requiring advanced assessments. 

Vendor Risk Monitoring & Remediation Subteam

This subteam usually comprises risk detection and mitigation experts, each assigned to one or a group of vendors. They work closely with the security assessment subteam, share insights within each other, and report to the TPRM Program Director, or you, the CISO. 

Some core responsibilities include: 

• Own assigned third-party vendors and manage their risks. 
• Perform daily or weekly risk management tasks on assigned vendors, according to your company’s instituted TPRM program. 
• Detect, mitigate, and report risks posed by third-parties, and work with them and the DevSecOps team to remediate the same. 
• Flag third-parties that should be terminated, and in most cases, oversee the offboarding of flagged high-risk vendors. 

One way to empower this subteam is through software that enables ongoing vendor risk monitoring. This helps them identify vendors whose security controls become outdated and can’t be verified. 

Again, Cyber Sierra automates this: 

Our platform uses standardized enterprise security controls to auto-check evidence uploaded by vendors on an ongoing basis. As shown above, you get alerted of those that fail verification, flagging your team to immediately work with the vendor to enforce them. 

TPRM Program Auditors

According to Vikrant Rai: 

In other words, having internal (and external) auditors is a must-have. They perform systematic evaluations of your company’s implemented TPRM framework, documentation, processes, and security controls. This enables them to document weaknesses that must be addressed and usually report directly to the CISOs, IT executives, and the TPRM Program Director/Manager. 

How Many People Should Be On My TPRM Team?

 There’s no magic number. 

Generally, the more vendors you manage, the more risk exposure your team may have to deal with, and the more people required. But all third-parties aren’t created equal. In a sample of, say, 200 vendors, only 5-10% (i.e., 10-20) may be high-risk or critical to your company’s operations. In a centralized reporting structure, where processes have been automated, 1-2 full-time employees (FTEs) on your risk monitoring and remediation subteam can manage such vendors closely, in addition to reviewing others occasionally. 

Going by this logic, the number of people you may need on your enterprise TPRM team should be around:

• 1–3 FTEs for up to 200 vendors. 
• 3–5 FTEs for 200 – 600 vendors. 
• One (1) additional FTE for every 100–200 vendors beyond that. 

You may be wondering: 

How about the assessment and vendor onboarding subteam? 

Well, by automating processes with a tool like Cyber Sierra, your TPRM Director can vet, assess, and onboard vendors in a few steps because those critical to-dos have been streamlined. For instance, they can choose from standard security assessment questionnaires already built into our platform, customize per your company’s needs, and send to vendors: 

Make Your TPRM Team More Effective

In a cybersecurity survey reported by Graphus:

This finding proves that, irrespective of how many full-time employees (FTEs) on your TPRM team or reporting structure, automation is needed to make them more effective.  

Third-party risk expert, Ian Terry, agrees: 

We built Cyber Sierra to enable enterprise TPRM teams to achieve this needed automation and become more effective. From tiering critical vendors to continuous security assessments, and ongoing risk monitoring, our platform automates the steps required. 

Want to see it for yourself?