One of the most persistent challenges in Third-Party Risk Management (TPRM) is the growing tension between vendors and their customers over how much information is “enough” to complete the vendor due diligence process and gain meaningful assurance. At the heart of this tension is a fundamental friction: vendors are understandably cautious about sharing detailed internal information, while customers are under pressure to demand more of it. 

Vendor caution: Balancing security and disclosure 

For vendors, fear is real. Providing detailed documentation, such as audit reports, penetration test results, or internal security policies, feels like handing over the blueprint to their security house as part of the vendor due diligence process. There’s anxiety that this information could be misused, misinterpreted, weaponized in future business disputes, or maybe lost or breached by the customer. Many vendors worry about loss of control, leaks of sensitive competitive data, or being penalized for perceived gaps taken out of context. 

Customer expectations: Regulatory pressure and risk management 

On the other hand, customers feel the weight of regulatory expectations, board oversight, and real cyber risk. Their job is to protect their organization and to do that effectively, they want as much transparency as possible. Security questionnaires are long, evidence requests are deep, and certification reports are just the starting point. The result? A game of chicken where both parties end up frustrated, and risk assurance is delayed — or worse, superficial. 

This imbalance isn’t sustainable. 

Building a culture of trust: Bridging the gap  

TPRM will not improve unless both sides are willing to meet in the middle and work together. Creating a true partnership requires addressing the core challenges in third-party risk management directly and understanding the need for a balanced approach. Both vendors and customers must share the responsibility for the security and integrity of the information exchanged.  

This means rethinking how organizations define “enough” information for trust. Not everything must be disclosed in raw form. Vendors can offer redacted summaries, attestations from credible third parties, or scoped access under NDA. Customers, meanwhile, must move beyond checkbox audits and begin aligning questions with actual risk, focusing on what truly matters instead of what is easiest to ask.  

Not all controls are created equal. Only a small percentage actually protects against threats today. Customers should focus on those controls and not every control, which is a compliance exercise instead of a security practice. A deep dive into critical security areas, such as incident response protocols, vendor access controls, and data encryption standards, will have a much more meaningful impact than combing through irrelevant, blanket requirements. 

Standardization can also help. Frameworks like HITRUST offer a common language to reduce back-and-forth. By adopting a unified third-party risk management framework, vendors and customers can reduce complexity and avoid unnecessary friction. Frameworks and certifications like HITRUST set clear, actionable security standards that help organizations move beyond the guesswork of ad-hoc risk management practices.

But the real unlock is cultural: mutual respect, shared goals, and clear expectations. When vendors and customers collaborate — not compete — on risk transparency, both sides benefit. Trust is built faster, assurance is stronger, and business moves forward. 

Looking ahead: Embracing partnership for a secure future 

The future of TPRM isn’t more friction. It’s more partnership. As both sides work together to enhance transparency and security, TPRM will evolve into a more proactive and sustainable process.