Are You Measuring the Right Risks…Or Just the Easiest Ones?

Mythos Hype Check: TPRM Paradigm Shift or Big Nothing Burger

A new AI model called Mythos promises to find vulnerabilities faster than any human team. But what does that actually mean for the security leaders responsible for managing third-party risk? In this special episode, Jeffrey Wheatman is joined by Bob Maley, Ferhat Dikbiyik, and Black Kite co-founder and CTO Candan Bolukbas to break down what Mythos and Project Glasswing actually change, and what they don't. The numbers are already alarming. Forty-eight thousand CVEs published in 2025. A 43-day mean time to patch. An exploitation window that has gone negative, meaning threat actors are exploiting vulnerabilities an average of seven days before defenders even know they exist. Mythos accelerates vulnerability discovery, but as the team makes clear, discovering more vulnerabilities faster only matters if you have a program built to handle it. In this episode, you will learn: * What Mythos and Project Glasswing actually are and why the hype may be outpacing the reality * Why the vulnerability deluge is already unmanageable with traditional CVSS-based prioritization * How the 135-day embargo window affects your third-party exposure * Why fourth-party risk, meaning what your vendors run rather than just who they are, is becoming the real blind spot * What SBOMs have to do with the future of supply chain vulnerability management * The three things security leaders should do right now to prepare their programs This is not a theoretical conversation. It's the one your program needs before the window closes.

Are You Measuring the Right Risks…Or Just the Easiest Ones?

Are you measuring the right risks in your third party risk management program—or just the easiest ones? In this episode, we break down how most teams approach third party risk management metrics and why those metrics often fail to reflect real business risk. If you’ve ever wondered whether your TPRM strategy is actually driving better decisions or just producing reports, this conversation will challenge how you think about risk measurement. Hosts Jeffrey Wheatman, Bob Maley, and Ferhat Dikbiyik unpack the gap between what organizations track and what actually matters—from misleading metrics and “top vendor” lists to the struggle of communicating risk to executives who don’t see the value. You’ll learn how to rethink your approach to third party cyber risk management, move beyond surface-level reporting, and focus on the signals that truly impact your business. In this episode, you’ll learn: * Why most third party risk metrics are based on convenience, not impact * The difference between measuring activity vs. measuring real risk * How to make risk meaningful to boards and executive stakeholders * What “good” risk metrics actually look like in practice * How to avoid false confidence from incomplete or misleading data Don’t risk building your strategy on the wrong signals. Learn how to measure what actually matters—and make better decisions because of it.

Why Automation Is Creating More Cyber Risk

Automation vs Accuracy in TPCRM is one of the biggest challenges in modern third-party risk management. In this episode, we break down how the push for faster automation is impacting accuracy, and what that means for your TPCRM program. If you’re relying on automation to scale vendor risk assessments, this conversation will help you avoid costly blind spots and make smarter decisions. Jeffrey Wheatman, Bob Maley, and Ferhat Dikbiyik unpack the real tradeoffs between speed and accuracy in TPCRM, exploring how automation can both strengthen and weaken your risk posture. They discuss the dangers of over-relying on data, where AI-driven decisions fall short, and why human judgment still plays a critical role in identifying real risk. This episode is essential for anyone responsible for vendor risk, cybersecurity, or compliance who wants to scale effectively without sacrificing confidence in their decisions. In this episode, you’ll learn: * How automation in TPCRM can unintentionally increase risk * The hidden tradeoffs between speed and accuracy in vendor assessments * Why more data doesn’t always lead to better decisions * Where AI and algorithms fall short in real-world risk scenarios * How to balance automation with human judgment for better outcomes * Practical ways to improve visibility and decision-making in your TPCRM program Don’t risk scaling bad decisions faster. Learn how to balance automation and accuracy to protect your business.

How to Calculate the Real Cost of a Third-Party Breach

Calculating the real financial impact of a third-party breach is one of the hardest challenges in cybersecurity today. In this episode, Jeffrey Wheatman, Bob Maley, and Ferhat Dikbiyik explore how organizations can move beyond vague warnings about risk and start putting real numbers behind the potential cost of a third-party breach. If you want security leaders, executives, and boards to take third-party cyber risk seriously, you need to understand how to quantify its financial impact. Many security teams still rely on qualitative risk language like “high,” “medium,” or “critical,” but those labels rarely drive action. Jeffrey, Bob, and Ferhat break down why calculating the financial impact of a third-party breach is essential for communicating with executives, prioritizing vendors, and securing the right investments in risk management. From understanding uncertainty to building models that are accurate enough to guide decisions, this conversation offers practical insight into how leading teams estimate breach costs and translate cyber risk into business language. In this episode, you’ll learn: * Why calculating the financial impact of a third-party breach is critical for executive decision making * How security leaders translate cyber risk into dollars, euros, or pounds * Why “something bad could happen” is not enough to justify cybersecurity investment * The difference between precision and usefulness when modeling cyber risk * How risk quantification helps prioritize vendors and third-party exposures * Why boards and executives respond better to financial risk than technical risk language Don’t risk letting third-party cyber risk remain invisible to leadership. Learn how to calculate the real financial impact of a third-party breach and turn risk conversations into decisions that protect your organization. 0:00 Introduction & Teaser 0:50 Welcome & Episode Overview 2:01 Guest Introduction: Jack Jones & the Origin of FAIR 7:17 Challenges to Implementing Risk Quantification 10:57 Wrap-Up with Jack Jones 11:23 Calculating Financial Impact of a Third-Party Breach 25:54 Precision vs. Accuracy in Risk Models 30:01 Research Roundup: Cybersecurity Outlook 2026 36:44 Agree or Disagree 39:41 Outro & Next Episode Preview

Vendor Sprawl Is Out of Control (Here’s How the Best Teams Fix It)

Vendor sprawl is out of control, and most organizations have far more third-party vendors than they realize. In this episode, Jeffrey Wheatman, Bob Maley, and Ferhat Dikbiyik unpack the growing problem of vendor sprawl and why it has quietly become one of the biggest sources of cyber risk. If your organization relies on dozens or hundreds of third parties, this conversation will help you understand how vendor sprawl creates hidden exposure and what the best teams are doing to manage it. As companies adopt more SaaS tools, cloud services, AI platforms, and specialized vendors, visibility and control become harder to maintain. Jeffrey, Bob, and Ferhat break down how vendor sprawl happens, why simply adding more tools does not solve the problem, and how leading security and risk teams are changing their approach to third-party risk management. From rogue applications to overlapping tools and hidden dependencies, this episode explores practical strategies for regaining visibility and prioritizing the vendors that actually matter. In this episode, you’ll learn: * Why vendor sprawl is accelerating across modern organizations * How hidden third parties introduce unexpected cyber risk * The difference between vendor visibility and real vendor risk management * Why adding more tools can sometimes make the problem worse * Practical ways security teams are prioritizing the vendors that matter most * How AI and automation are changing third-party risk management Don’t risk letting vendor sprawl quietly expand your attack surface. Learn how leading teams are taking back control before hidden vendor risk becomes the next breach.