Still guesstimating your third-party infrastructure risks from an outside perspective?

Manual processes are still holding organizations back, with even more companies (45%) reporting that they use spreadsheets to assess their third parties in 2022 vs. 2021.

Assessments performed in Spreadsheets

Bar graph showing 42% for 2021 and 45% for 2022

Dot graphic representing the 79% of firms using a TPRM program, 85% of which are assessing vendor security risk


66% of breaches are the result of vulnerabilities from suppliers and third parties. It’s no surprise that more than 80% of organizations are moderately to highly concerned about their suppliers and partners.

Dot graphic representing the 66% of breaches resulting from suppliers and third parties

The adoption of cloud computing has increased reliance on third parties, leading to additional risk and third-party security posture becoming a primary concern. The magnitude of potential risk associated with third-party issues means we need a better way to gain visibility - and ensure action is taken- than periodic assessments or “outside-looking-in” tools are able to provide.

Dial showing 40%

Only 40% say they thoroughly understand the risk of data breaches through third parties, using formal enterprise-wide assessments. Nearly a quarter have little or no understanding at all of these risks — a major blind spot of which cyber attackers are well aware and willing to exploit.

The vendor assessment process is subjective, outdated, slow, error-prone, and generally broken


Third-party teams can only speak to the infrastructure they know, so responses cannot provide true insight into an environment’s state. By addressing only the “perception” of risk and not “actual” risks, these processes and “outside-looking-in” tools provide a subjective view versus objective information.


Annual assessments are an artifact of waterfall development. In a world where applications are being continuously deployed and changed, responses submitted by third parties quarterly or annually lead to outdated data that don’t provide realistic insight into a third party’s continued security posture and associated risk.

Slow & Error-Prone

The submission and review of assessments is cumbersome and time-consuming. Both third parties and internal teams spend a significant amount of time providing and reviewing information that could be out of date and addressing human error and unclear communication.

Even for the highest risk vendors, the vast majority (82%) are only assessing vendors once a year; while the majority (81%) of low-risk vendors are assessed less often than every 2 years.

Dial showing 82%

graphic showing 58% of orgs

58% of organizations agree that it is not possible to determine if vendors’ safeguards and security policies are sufficient to prevent a data breach.

Turn your TPRM Cloud Security Process Inside-Out

OpsHelm is effortless and questionnaire-free, providing real-time monitoring and risk insights across your third parties. We make the overall process of third-party management and associated cloud infrastructure risk assessments less cumbersome and manual, and more streamlined and standardized both internally at your organization, and for the organizations you work with.

OpsHelm secures your cloud environments

Want to learn more about the OpsHelm approach? Download our fact sheet here...