Third Party Risk Management: Why Questionnaires Provide No Security

The Structural Problem with Questionnaires

Third Party Risk Management (TPRM) is established in many companies. The typical approach: new suppliers receive a comprehensive security questionnaire, must provide certifications, and the result is documented in a risk matrix. Existing suppliers are reviewed annually or upon contract changes.

This sounds good. The problem is structural: a questionnaire does not measure security, it measures compliance willingness. A supplier who knows all the right answers (and in the TPRM industry there are professional consultants who optimize exactly that) can pass any questionnaire regardless of actual security level.

Additionally: questionnaires are snapshots. Months or years can pass between completion and the next review. During this time, a supplier's security level and threat exposure can fundamentally change – through new software versions, personnel changes, changed IT infrastructure, or – in the worst case – compromises that have already occurred.

What Technical Validation Can Achieve

Unlike documentary review, technical validation captures the actual security state of a supplier – to the extent measurable from the outside:

Attack Surface Assessment: Which assets are exposed on the internet? What patch level are accessible systems on? What configuration weaknesses are visible?

Threat Intelligence Matching: Do the supplier's IPs or domains appear in known threat intelligence sources? Are there indicators of active malware infections?

Credential Exposure: Have supplier employee credentials been exposed in known data breaches or on darknet markets?

Security Configuration: Are email security standards (SPF, DKIM, DMARC) correctly implemented?

This data can be collected automatically and continuously – no questionnaire, no waiting for answers, no trust in self-declarations.

A Pragmatic Approach to TPRM

Technically sound TPRM does not need to completely replace the questionnaire model – it complements it. A sensible combination:

1. Onboarding: Questionnaire for context and self-declaration + technical validation for actual state

2. Continuous Monitoring: Automated tracking of critical suppliers for technical changes, new threat indicators, credential leaks

3. Escalation: Clear process for when a supplier is classified as compromised or high-risk

For NIS2 and DORA, this approach is not only sensible, but regulatorily expected.

Note: This article is for general information and does not replace individual consulting.