“This is not a third-party risk management problem. It’s a data management problem. It’s truly simply the number of third parties you share data with.”
Third-party vendors are central to a thriving digital economy. They help organizations scale, innovate and deliver with speed. Adding third-party vendors to a company’s ecosystem, however, comes with a growing challenge: the hidden security risks embedded in extended digital ecosystems—specifically, the cumulative risk of a data breach initiated in the third-party realm.
The critical word here is cumulative. “Traditional risk assessments such as questionnaires, SOC reports and vendor scores are all very useful tools, but they tend to look at vendors individually,” noted Trecia Knight, MBA, CISSP, CCSP, Cybersecurity & AI Governance Consultant, Knight Aegis Consulting. Knight, who moderated the License to Secure: A People-Centric Approach to Managing Cumulative Third-Party Data Breach Risk panel at ISC2 Security Congress 2025 in Nashville, explained, “The real challenge isn't just one vendor being breached. It's a cumulative risk across dozens or hundreds of vendors that handle our data every day.”
This panel session tackled a pressing topic for cybersecurity leaders, convening Christine Dewhurst, B.Math, a Partner at NSC Tech, and Thomas Lee, Ph.D., CEO of VivoSecurity, to discuss a quantitative model for assessing the cumulative risk of experiencing a data breach. Large organizations (i.e., those with 1,000+ employees) can use this model to better understand their data breach risk, communicate that risk to executive stakeholders and mitigate it by evaluating the collective security posture of their third-party vendors.
The panel discussion dove into “the unseen layers of third-party risk to explore how to move beyond compliance checkboxes and begin measuring and managing risk in a way that reflects the complexity of today’s interconnected business environment,” said Knight.
Three Crucial Considerations for Measuring Third-Party Vendor Risk
What’s the real problem with measuring the risk of a third-party data breach?
First and foremost, cybersecurity leaders and other stakeholders across the business must understand the fundamental nature of third-party data-breach risk. Lee emphasized, “This is not a third-party risk management problem. It’s a data management problem.”
Explaining why cumulative risk is such a critical and overlooked challenge today, Lee noted that “third-party data breaches account for more than 50% of large data breaches—and possibly more because companies aren't compelled to have to report that it was caused by a third party.” It should be noted that the risk is not vendor-by-vendor; it is cumulative. According to Lee, "I don't think companies realize the order of magnitude “of cumulative risk of large data breaches”.
Dewhurst added that the uncertainty around who is accountable for an organization’s data breach is a fundamental problem as well. She explained, “Where it gets really complicated is accountability.” She asked the audience who is culpable: “Is it the third party? The CISO? The executive who owns the data? The executive that's signing the contract to share the data that another executive owns.” The answer varies from organization to organization.
“When you have the question of who owns third-party risk, it’s like a Venn diagram. Everybody owns a piece of it, and it's very difficult to get your arms wrapped on it,” said Dewhurst. That is one reason why using a quantitative model based on data is so important for understanding the cumulative risk of a third-party data breach. "If you can't figure out who's accountable, you don't know who's supposed to measure it,” she added. The model will get all stakeholders on the same page.
So, what is the model? It’s simple: 0.07 × N, where N is the number of vendors your organization shares data with. With this straightforward formula, an organization can calculate the probability of a cumulative third-party data breach and rally around the data to manage that cumulative risk.
Why is a people-centric approach important for mitigating cumulative third-party risk?
Lee, along with his collaborators, developed an empirical regression model to calculate the probability of experiencing a data breach. The model “is not based on an opinion or assumptions or theory,” said Lee. The people-centric approach is central to the model’s accuracy. “We discovered that we could develop a really accurate model based on just six factors that are head-count factors.”
Specifically, Lee and his collaborators found that "the two most important factors for reducing the probability of a data breach are counting the number of people at the organization that have the CISSP certification and counting the number of people that have the CISA certification,” as noted in the Assessing the Effectiveness of Third-Party Risk Management using Quantitative Models white paper.
As Lee shared with the audience, “I could tell you this is remarkably predictive, so it's telling us something about cybersecurity: staffing levels really matter.” In short, he pointed out, “The companies that are responsible for most of the data breaches are simply understaffed, compared to average.”
Having used the model, Dewhurst attested, “People matter.” This insight, amidst a sea of other metrics such pen-testing outcomes, vulnerabilities and Bitsight scores, offers a new lens through which to “look at an organization before you share your data with it.” It allows better scrutiny of third-party vendors by asking them questions such as, “How many CISSPs and CISAs do you have at your company?” That probing question is essential. As Dewhurst explained, "What we find is when you look at that people-centric approach, and you do those checks, you then can figure out whether you want to share your data” with that third-party vendor.
In doing so, organizations can effectively weed out vendors who don’t meet security standards—those whose investment (or lack thereof) in credentialed cybersecurity professionals reveals their true level of commitment to protection.
This people-centric approach validates the value of CISSP and CISA certifications empirically. As Lee said, “We've objectively measured your value. If you've got a CISSP, it's not an opinion.” He added that, "Cybersecurity people don't think this way; they think of controls, right? But that's what we've done.” Commending the audience containing many CISSP holders, Lee pointed out, “We've objectively measured your value, and I can say that you really matter, and that companies that don't hire enough of you are the ones that are going to have the data breaches in it.”
How can cybersecurity leaders go beyond check-box compliance?
Indeed, transparency requires cultural change and a pragmatic way of thinking about third-party vendor risk. As Lee reiterated, “This is a data management problem, not a vendor management problem, so that's important to know.” He also emphasized that risk cannot be pinned on any single vendor; instead, “You need to think of cumulative risk (e.g., having a hundred vendors with whom you share data); that’s the risk.” Accordingly, roles such as data governance and information governance, are an integral part of risk mitigation. These governance teams can collaborate with the CISO when vetting third-party vendors.
Dewhurst added that every organization “needs a champion” to carry the torch for empirically calculating the cumulative risk of a data breach from third-party vendors. A people-centric, data-driven approach can turn addressing third-party risk into a strategic advantage. This transformation can occur, however, only if an organization avoids what Lee describes as the most common mistake: “inaccurate data.”
The Transformation of Cumulative Third-Party Risk Management
Holding an ISC2 CISSP certification is invaluable, as empirically validated by Lee’s cumulative risk model. Inspiring current and future CISSP holders, he said, “I can tell you, statistically speaking, that you make a much larger contribution to security than people realize, and certainly more.” Without question, CISSP leaders are integral to ensuring a more safe and secure world as extended digital ecosystems continue to proliferate with more and more third-party vendors.
