- Ryan Patrick, VP of Adoption, HITRUST 

Third-Party Risk Management (TPRM) is supposed to be the bedrock of securing organizations from the risks posed by external vendors and business partners, but the current system is fundamentally broken. This becomes painfully clear when we examine three of the most critical pain points: the low quality and variability of SOC 2 reports, the inefficiency of questionnaires, and the lack of reciprocity between governing bodies. 

SOC 2 Reports: A Quality Crisis 

SOC 2 reports are often regarded as the “go-to” standard for assessing the security controls of third-party vendors because of their wide adoption across all industries. Yet, the quality and reliability of these reports can vary dramatically. Some SOC 2s are meticulously detailed and provide actionable insights into a vendor's security posture. However, many others are shallow, missing critical information, or worse, relying on outdated practices that no longer align with today's threat landscape. The control selection is purely up to the organization being assessed. Furthermore, there is a race to the bottom with “SOC in box” firms pencil whipping reports at the lowest cost possible. The variability of these reports erodes trust.  

What is the point of asking for a SOC 2 if you can’t guarantee a consistent standard? SOC 2 reports will remain an unreliable cornerstone in TPRM until there is a way to enforce more uniform, higher-quality reporting. 

The Questionnaire Bottleneck 

The next pain point is the inefficiency of vendor questionnaires. In theory, these should help organizations get a clearer understanding of a vendor’s security practices. In reality, they’ve become a bureaucratic nightmare. Security questionnaires are often long, repetitive, and rarely tailored to the specific risks posed by a particular vendor. Worse yet, vendors receive dozens, sometimes hundreds, of these questionnaires, leading to inconsistent or hurried responses. It’s not uncommon for vendors to send recycled answers that don’t address the nuances of the questions asked. This "checkbox" approach is inefficient for both sides and doesn’t provide the insight to make informed risk decisions. 

It’s even more troubling that the organizations requesting the security questionnaires often lack the time, expertise, or resources to assess the answers they receive thoroughly. Most companies don't have dedicated teams or the specialized knowledge required to interpret the responses and probe deeper into potential vulnerabilities. As a result, the due diligence process often becomes superficial, with organizations relying on incomplete or misunderstood information. Organizations may unwittingly expose themselves to greater vulnerabilities instead of truly mitigating risk.  

Reciprocity Between Governing Bodies: A Missing Link 

One of the biggest systemic failures in TPRM is the lack of reciprocity between governing bodies and frameworks. We have SOC 2, ISO 27001, NIST, and a host of other frameworks, all serving slightly different functions but ultimately aiming at the same goal: reducing risk. However, organizations are forced to undergo multiple, redundant audits and assessments as there’s little reciprocity between these frameworks. Vendors end up in a web of overlapping requirements, increasing the time and cost of compliance without adding meaningful value to security. The industry needs a system of mutual recognition, where frameworks work together to streamline the risk management process, creating a unified standard that works across sectors and regions. 

A Call for Change 

TPRM is in dire need of reform. Although SOC 2s serve a specific purpose within an organization, they were not designed for TPRM and should not be used for this purpose. Questionnaires must become more focused on the relationship between the two organizations and should stop there. Relying on industry-recognized risk-based assessments/certifications and getting rid of questionnaires lead to streamlined processes and reduced risk profiles. Finally, there must be reciprocity and collaboration between governing bodies to eliminate redundant processes and create a more efficient, effective approach to managing third-party risks. 

The current system is broken, but with concerted efforts from industry leaders, governing bodies, and security professionals, we can rebuild TPRM into a process that truly protects organizations without wasting time or resources.