Security governance needs to be more than an annual compliance exercise. New companies are emerging to address risk-management gaps in current audit tools.
A rapidly evolving threat landscape with highly adaptable and increasingly sophisticated threat actors is no place for checkbox compliance assessments that merely audit organizations’ security postures once a year. That’s why security professionals and industry experts are calling for compliance models that take a more continuous approach, and more companies continue to emerge in the space.
Industry leaders and CISOs continually poke holes in the way governance, risk management, and compliance (GRC) and third-party risk management (TPRM) assessments are conducted — and the holes are only growing bigger. Yearly assessments, with their static questionnaires to determine an organization’s risk level, are stagnant, which is the polar opposite of how attackers behave. Threat actors can now find and exploit vulnerabilities faster and discover new vectors to conduct supply chain attacks.
When the compliance industry started, assessments mirrored finance industry models: a yearly audit to determine whether companies met objectives and obligations, explains Sravish Sridhar, TrustCloud CEO and founder.
“Attackers weren’t worldwide and trying to infiltrate you from every angle,” he says.
Old models were fine when IT changes and IT fragmentation happened slower. But now the pace is accelerating faster than most can handle, he says.
With the static, check-the-box approach, a vendor can be fully compliant on paper with its third-party program and still introduce meaningful risk into the business, says Lamont Atkins, partner at McKinsey. Atkins has also observed CISOs move decisively away from questionnaire-driven checkbox compliance models toward more continuous and evidence-based assurance.
Modern TPRM platforms continuously emerge to monitor vendors for vulnerabilities, misconfigurations, and breach signals, versus relying on static questionnaires, and use artificial intelligence (AI) to analyze those signals and assess risk, explains Swee Khan Goh, Omdia research analyst. He singled out Upguard, BitSight, and OneTrust as three companies doing well in this space.
‘It’s Not a Predictor of Risk Whatsoever’
While launching TrustCloud, whose 2,000 customers range from pharmaceutical and healthcare to government and manufacturing, Sridhar heard from CISOs that GRC stood for “government, risk, and check the box.” They told him that we live in a world where vulnerabilities and risk are growing higher and higher, and compliance obligations are getting larger due to all the regulations.
When he asked CISOs for a better alternative, they described a continuous monitoring engine with graphs that connect all the interdependencies in their businesses, looking at every node and validating whether it is operating effectively, he says.
“It was an ‘aha’ moment for us,” Sridhar tells Dark Reading.
Therefore, he focused development on building a tool for scale and complexity to meet an array of enterprise needs. The new threat landscape left TrustCloud with three main challenges while working on the platform over the past four-and-a-half years. First, the company had to develop a tool that could be integrated to fit a variety of enterprise rules and environments. Next, it had to solve for scale. Companies manage an overwhelming number of assets, including human and nonhuman identities. Third, every CISO has their own style, and Sridhar wanted them to be able to take all the complex data and translate it in a way they want to tell the story.
For example, CISOs need tools for assessments that help them communicate clearly to the board and leadership, whether that board lacks technical expertise or is more risk-focused compared to others. Sridhar factored those needs in, knowing how important it is for CISOs to elicit emotion during presentations to the board and leadership who oversee the budget and operations.
He wanted the board to “react to the results,” whether in a positive way or perhaps with more anxiety if the assessment results spotted trouble.
CISOs also need a way to prove more tangible data, like how they are contributing to revenue, accelerating business, or reducing financial risks, Sridhar adds.
“The current compliance process is useless in most companies,” Sridhar says. “A light security questionnaire — it’s not a predictor of risk whatsoever.”
Change the Model, Change the Mindset
To create a model that can keep up with today’s threat landscape, Atkins urges companies to leverage TPRM platforms that provide ongoing visibility into attack surface, security posture, and incident signals. Some organizations are using AI to streamline questionnaires, but they can also use it to reduce reliance on questionnaires altogether by automating evidence collection, mapping controls across frameworks, and identifying gaps in real time, he adds.
Companies should ask themselves three main questions, McKinsey’s Atkins says. Which suppliers truly underpin critical operations? Which are hidden concentration risks? And what is the operational blast radius if a key vendor fails?
“That’s a fundamentally different mindset from traditional compliance-driven TPRM,” Atkins tells Dark Reading. “To take the advantage, we must encourage a convergence between third-party risk management and attack surface management, as well as a broader reframing of TPRM as a component of enterprise resilience, not just a procurement or compliance function.”
CISOs don’t want to know whether a vendor claims to have control. They want to understand how a failure would impact critical business processes, says Optiv CISO Rob Gregory. Another notable shift he has observed is toward scenario-based risk analysis, which helps security leaders prioritize what matters versus treating all findings as equal.
“AI‑assisted analysis is also starting to mature, especially in translating technical risk into clear, board‑level narratives,” Gregory tells Dark Reading. “Vendors that can support continuous insight, automation, and business context are resonating most with experienced CISOs.”
As risks expand and attackers leverage more advanced tooling, the space is bound to keep evolving. But the most important aspect of risk assessment will remain: building trust between security teams and stakeholders. That extends to consumers as well.
“Trust doesn’t imply that you’re perfect,” Sridhar says. “Trust implies you will have breaches. You will have anomalies. There will always be days in which you have a bad day, but it’s how you react and how you own up to it, and how you remediate. That’s how you build trust.”
