Episode Details

Your vendors are adopting AI faster than you can assess them. What does that mean for your third party risk?

Welcome to Razorwire, the podcast where we share our take on the world of cybersecurity with direct, practical advice for professionals and business owners alike. I'm Jim and in this Spotlight on Technology episode, I'm joined by Jeffrey Wheatman, Senior Vice President and Cyber Risk Strategist at Black Kite. Jeffrey previously spent over a decade as an analyst VP at Gartner where he launched their third party cyber risk management coverage.

Third party risk management used to be fairly straightforward. If finance was happy and legal had done their redlining, you signed the contract and moved on. That world is gone. Organisations are now dependent on layers of vendors, suppliers and service providers, and the chain goes deeper than most security teams can see. When a logistics company can go from operational to out of business in five months after a ransomware attack, and one incident at Jaguar Land Rover can measurably affect UK GDP, the question isn't whether third party risk matters. It's whether your programme can keep up.

This episode covers how the old model of spreadsheets and questionnaires is giving way to intelligence-led continuous monitoring, why AI has made the problem exponentially harder and how Black Kite is helping organisations cut through the complexity, from mapping supply chain connectivity and scoring ransomware susceptibility to cutting a 500-question vendor questionnaire down to 30.

Three key talking points:

• You can't protect what you can't see: Most organisations know who their biggest vendors are. Beyond that, it gets murky fast. This episode gets into why even mature organisations still struggle to see past the first or second layer of their supply chain, why figuring out which vendors actually matter is harder than it sounds and why Jeffrey always tells people to solve their third party problem before worrying about their fourth.
• AI just made your third party programme ten times harder: Your vendors are already using AI, whether they've told you or not. The person you're speaking to may not even know, because it could be embedded two or three layers down. Meanwhile the market is flooded with AI solution claims and attackers are using it to move faster than ever. This episode covers the three ways AI is complicating third party risk and why most organisations haven't even begun to get their AI governance right.
• From questionnaires to continuous intelligence: The old model of sending out hundreds of questions, hoping for honest answers and filing the results is finished. This episode covers how the industry is moving from periodic assessment to continuous monitoring, why real data beats self-reported questionnaires and how platforms like Black Kite are helping organisations focus on the vendors that actually pose a risk.

If your third party risk programme is still running on spreadsheets and annual reviews, this episode will make you uncomfortable. And it should.

On why most organisations don't know which vendors matter most:

“I always badly paraphrase Animal Farm by George Orwell. All your vendors are equal, but some vendors are more equal than others. And most people don't really know how to figure that out.”

Jeffrey Wheatman

Listen to this episode on your favourite podcasting platform: https://razorwire.captivate.fm/listen

In this episode, we covered the following topics:

When a Vendor Goes Dow