In “Why HITRUST, Why Now,” HITRUST’s new Chief Trust Officer Myrna Soto makes the argument every executive team should hear: trust is larger than cybersecurity and pureplay assurance. It is a business mandate.
Boards expect transparency. Customers expect accountability. Regulators expect evidence. Executives are racing into AI, automation, cloud, and digital transformation. They need speed, but also confidence that information risk is understood, quantified and governed. Anything less means there’s no trust, which is the bedrock of cybersecurity.
That is the tension of the digital economy: move faster, while proving you can be trusted at scale.
Third-party risk is where that tension becomes real.
Enterprises depend on vendors, cloud providers, processors, subcontractors, and service organizations to run critical operations and handle sensitive information. Much of the organization’s risk now sits outside its direct control. And that exposure is not simply cyber. It can include operational disruption, privacy impact, regulatory exposure, contractual loss, reputational harm, financial loss, and resilience risk.
Most organizations have responded by collecting questionnaires, certifications, audit reports, control evidence, contract terms, insurance, and exception approvals.
All that matters. But it often fails to answer the question leaders need answered: what residual risk and exposure remains, and is it acceptable for this relationship?
That is the missing measure.
The problem is not a lack of evidence. Many teams have more evidence than they can efficiently use. The problem is fragmented evidence. A certification, questionnaire, cyber score, contract clause, audit report, and insurance certificate each tell part of the story. But they differ in rigor, scope, independence, timing, relevance, and confidence.
Without a common decision model, interpretation becomes subjective. One reviewer may emphasize a certification. Another may focus on cyber signals. A business owner may push for speed. Legal may take comfort in contracts. Insurance may create confidence, even when operational exposure remains.
This is where Myrna’s trust thesis and The Missing Measure connect. If trust must be demonstrated and operationalized, third-party risk cannot depend on inconsistent interpretation. Organizations need a way to normalize evidence, weight assurance, measure residual and retained exposure, and translate that insight into decisions leaders can defend.
This is not about reducing trust to a simplistic score. A number without methodology is just another artifact. The value comes from the discipline behind the measure: common risk language, evidence normalization, assurance weighting, residual-risk methodology, decision thresholds, portfolio visibility, and governance strong enough to support reliance.
That discipline changes the conversation. It moves third-party risk from “Did we collect the evidence?” to “What does the evidence mean?” And then to “What decision should follow?”
The shift matters because third-party decisions rarely stay isolated. One exception may be manageable when exposure is understood and mitigation is credible. Many similar exceptions across vendors, business units, data types, technologies, or geographies can create material concentration risk. Without common measurement, those patterns stay hidden until they become governance problems.
Contracts and insurance may shift financial exposure; they do not eliminate operational risk, information risk, ownership, tolerance decisions, or the need to monitor change.
That is why the missing measure is not just a better TPRM metric. It is part of the broader trust conversation.
HITRUST has long helped organizations create reliable assurance around cybersecurity and risk management practices. Myrna’s post points to the next chapter: shaping how trust is measured, operationalized, and sustained across the digital economy. The Missing Measure gives that chapter a practical use case.
Third-party risk teams do not need more disconnected artifacts. They need to understand what those artifacts mean, how much confidence they deserve, what exposure remains, and what decision should follow.
Trust has become too important to leave to interpretation. Organizations must show not only that they collected evidence, but that they can measure it, compare it, govern it, and act on it.
That is the missing measure.
And that is why HITRUST, why now.