CISOs Investigate: Third Party Risk Management Is a Peer-driven Buyers Guide for Security Professionals

Security Current announced today the release of its CISO-authored report, CISOs Investigate: Third Party Risk Management (TPRM). As part of the exclusive CISO-authored research series, this report offers security leaders real-world insights as they make business-driven technology decisions when they engage partners, vendors, suppliers and other third parties.

CISOs Investigate: Third Party Risk Management includes contributions from security leaders who build third party risk programs both inhouse and have deployed or are looking to deploy third-party risk management solutions. Spanning verticals, the CISO contributors share first-hand use cases and provide guidance from their own experience and expert knowledge.

Serving as the lead researcher and author of the report is alliantgroup CISO Mike Davis accompanied by the series executive editor, higher education CISO Bob Turner.

CISO Editors Include:
Cherokee Nation Businesses CISO Nikk Gilbert
Premise Health CISO Joey Johnson
ServiceMax CISO Al Ghous
Woodforest National Bank CISO & SVP Information Security Marc Crudgington

CISO Contributors Include:
Hellman & Friedman CISO Matt Hollcraft
H.I.G. Capital CISO Marcos Marrero
Markel Corporation CISO & Privacy Officer Patricia Titus
Nexteer Automotive CISO & Privacy Officer Arun DeSouza
Ricoh USA, Inc. VP Corporate and Information Security, CSO David Levine
RWJBarnabas Health CISO Hussein Syed

“Third Party Risk Management is an essential component of an effective cyber-security risk management program. This report is different than anything available, as my peers and I applied our know-how building and maintaining TPRM programs. We talk about our challenges and use our real-world experiences, what has worked for us and what hasn’t, to provide information on what an effective program should look like,” says lead researcher and author Mike Davis. “CISOs Connect: Third Party Risk Management was a collaborative effort like none other that will provide CISOs who have yet to build a program as well as those who have existing programs useful insights that will assist them in their TPRM, which is paramount to securing their organizations.”

Executive Editor Bob Turner adds: “This CISOs Investigate report helps the CISO answer the questions from the C-suite and Board when they need to know the company’s data is safe and secure. TPRM is an important topic, as many are moving from the premise data center to services offered by third and sometimes fourth parties. Mike Davis and the CISOs who contributed to this report are eager to help other CISOs solve their greatest challenge, knowing how corporate assets are secured wherever the data lives. Trust comes from understanding.”

The report includes sections on the technology and programs – whether designed and built in house, outsourced to a TPRM vendor or a combination. It also reviews staffing implications, recommendations for TPRM to the C-Suite and possible objections and obstacles.

“For any CISO looking to understand how to build a TPRM program or how to enhance one already in place, this CISOs Investigate report will help them answer many of the questions they may have.  From Legal implications, Board questions, to what makes up a complete program, the CISOs Investigate report has answers and demonstrable information for a TPRM program owner and/or stakeholder,” says Marc Crudgington, CISO and SVP Information Security of Woodforest National Bank.  “The collaborative effort put into the report was from individuals across a number of industries each adding a different perspective to the report as well as backing up the input of other contributors.  Third Party Risk Management is a key component to a robust Information Security/Cybersecurity program in which the importance cannot be overstated.  The CISOs Investigate report is a comprehensive guiding document that will add value to one’s TPRM program.”

Al Ghous, CISO of ServiceMax, adds: “The CISOs Investigate: Third Party Risk Management (TPRM) report was the result of a broad cross section of security industry leaders coming together to provide insight into what it takes to build and manage a successful TPRM program. Considerations were raised and discussed among the CISOs who held varying points of view. We had contributions from healthcare, automotive, higher education, SaaS, financial services, and other industries, so it’s safe to say we did not leave any stone unturned. I think this report will be beneficial to security leaders in a wide array of industries.”

The report is free to members of CISOs Connect, an invitation-only knowledge sharing platform run by Security Current, which is only for enterprise CISOs. You can request to join CISOs Connect at

“Third Party Risk Management is an important part of an enterprise risk management triad with security and privacy, providing cost savings, efficiency, compliance and business value protection. TPRM’s role in contract management and service assurance also minimizes business risk,” says Arun DeSouza, CISO of Nexteer Automotive. “CISOs Investigate TPRM provides real-world information on setting up and or maintaining a program as well as the value and insights gained by various components.”

The vendor neutral report contains RFIs designed by the Editorial Board and offered to TPRM vendors to complete at no charge.

NormShield, a leader in TPRM, is the platinum sponsor. “While conducting research for the paper, we spoke to a number of TPRM vendors and we want to thank them for their valuable insight. We want to give a special thank you to NormShield for their support and to CEO Paul Paget for his exceptional guidance for CISOs looking to achieve risk based TPRM that meets corporate risk tolerance without the churn,” says Marcos Marrero, H.I.G. Capital CISO.

Enterprise security professionals can also request copies on Vendors who are interested in sponsoring or licensing the report can obtain more information by writing to

About Security Current
Security Current improves the way security, privacy and risk executives collaborate to protect their organizations and their information. Its CISO-driven proprietary content and events provide insight, actionable advice and analysis giving executives the latest information to make knowledgeable decisions. Its invitation-only CISOs Connect community allows for CISOs to communicate with each other and share knowledge and expertise with their peers.