Back to Playbook Visit Our Blog

Third-Party Security
Risk Management Playbook

This is the definitive study of third-party security risk management practices. Based on in-depth interviews of risk executives from 30 domestic and global firms, it reveals the real-world capabilities and practices employed to manage third-party security risk.

This is what real firms are doing to solve third-party security risk, distilled into 14 capabilities spanning 72 practices.

  • Benchmark your program
  • Learn the most common third-party risk management practices
  • Gain insight into pioneering practices that are changing the game

A study sponsored by RiskRecon.

Explore Online Experience
Explore Online Experience

Playbook Structure

The Playbook is organized as a set of 14 capabilities containing a total of 72 practices. The capabilities are divided into three domains.

Recent Blogs

About Third-Party Security
Risk Management Playbook

The Third-Party Security Risk Management Playbook (Playbook) provides a window into the capabilities and practices organizations employ to manage third-party security risk. The Playbook is built directly from the third-party security risk management practices observed in 30 leading enterprises in both the United States and the United Kingdom.

Compare your own program with the Playbook data about what other organizations are doing. You can then identify your own goals and objectives and refer to the Playbook to determine which capabilities and practices make sense for you.

Why Third-Party Risk Matters

Big Impact

Enterprises entrust the protection of their crown jewels—their customer data, their reputation, their finances, and their business availability—with third parties. Are they trustworthy? Why? Why not? What should be done about it? These questions are yours to answer and execute on. A breach of your third-party is a breach of your enterprise.

The Greater Good

Third-party risk management is a process of holding enterprises accountable to good security practices. As you improve the security of your third parties you improve the security of the Internet. It decreases the likelihood of data being breached. It decreases the likelihood of systems being turned into DDOS drones or malware servers. It increases the likelihood that systems are going to be consistently available to fulfill their intended purposes. The work of third-party risk management is work for the greater good.

Big Challenge

Third-party risk management is hard. It requires deep transparency, strong accountability, and effective collaboration. Third-party risk has to achieve this position with hundreds and even thousands of organizations while being an outsider to every organization. Additionally, third-party risk has to solve this with limited personnel and resources. This need—to achieve really good risk outcomes from the outside with limited resources —will result in dramatic risk management innovation, key of which will be development of machine learning and artificial intelligence-based risk assessment capabilities. These inventions will occur within the context of third-party risk management and be adopted by enterprises for internal risk management. Necessity is the mother of invention, and the necessity is pressing in a big way.

About Us

RiskRecon is leading the transformation of third-party security risk management, providing the world’s most advanced continuous surface security risk assessment and monitoring capabilities. Learn more about the transformational capabilities that RiskRecon can help you realize at

Deep transparency. Strong accountability. Continuous collaboration.