Vendor Sprawl Is Out of Control (Here’s How the Best Teams Fix It)

Are You Measuring the Right Risks…Or Just the Easiest Ones?

Are you measuring the right risks in your third party risk management program—or just the easiest ones? In this episode, we break down how most teams approach third party risk management metrics and why those metrics often fail to reflect real business risk. If you’ve ever wondered whether your TPRM strategy is actually driving better decisions or just producing reports, this conversation will challenge how you think about risk measurement. Hosts Jeffrey Wheatman, Bob Maley, and Ferhat Dikbiyik unpack the gap between what organizations track and what actually matters—from misleading metrics and “top vendor” lists to the struggle of communicating risk to executives who don’t see the value. You’ll learn how to rethink your approach to third party cyber risk management, move beyond surface-level reporting, and focus on the signals that truly impact your business. In this episode, you’ll learn: * Why most third party risk metrics are based on convenience, not impact * The difference between measuring activity vs. measuring real risk * How to make risk meaningful to boards and executive stakeholders * What “good” risk metrics actually look like in practice * How to avoid false confidence from incomplete or misleading data Don’t risk building your strategy on the wrong signals. Learn how to measure what actually matters—and make better decisions because of it.

Why Automation Is Creating More Cyber Risk

Automation vs Accuracy in TPCRM is one of the biggest challenges in modern third-party risk management. In this episode, we break down how the push for faster automation is impacting accuracy, and what that means for your TPCRM program. If you’re relying on automation to scale vendor risk assessments, this conversation will help you avoid costly blind spots and make smarter decisions. Jeffrey Wheatman, Bob Maley, and Ferhat Dikbiyik unpack the real tradeoffs between speed and accuracy in TPCRM, exploring how automation can both strengthen and weaken your risk posture. They discuss the dangers of over-relying on data, where AI-driven decisions fall short, and why human judgment still plays a critical role in identifying real risk. This episode is essential for anyone responsible for vendor risk, cybersecurity, or compliance who wants to scale effectively without sacrificing confidence in their decisions. In this episode, you’ll learn: * How automation in TPCRM can unintentionally increase risk * The hidden tradeoffs between speed and accuracy in vendor assessments * Why more data doesn’t always lead to better decisions * Where AI and algorithms fall short in real-world risk scenarios * How to balance automation with human judgment for better outcomes * Practical ways to improve visibility and decision-making in your TPCRM program Don’t risk scaling bad decisions faster. Learn how to balance automation and accuracy to protect your business.

How to Calculate the Real Cost of a Third-Party Breach

Calculating the real financial impact of a third-party breach is one of the hardest challenges in cybersecurity today. In this episode, Jeffrey Wheatman, Bob Maley, and Ferhat Dikbiyik explore how organizations can move beyond vague warnings about risk and start putting real numbers behind the potential cost of a third-party breach. If you want security leaders, executives, and boards to take third-party cyber risk seriously, you need to understand how to quantify its financial impact. Many security teams still rely on qualitative risk language like “high,” “medium,” or “critical,” but those labels rarely drive action. Jeffrey, Bob, and Ferhat break down why calculating the financial impact of a third-party breach is essential for communicating with executives, prioritizing vendors, and securing the right investments in risk management. From understanding uncertainty to building models that are accurate enough to guide decisions, this conversation offers practical insight into how leading teams estimate breach costs and translate cyber risk into business language. In this episode, you’ll learn: * Why calculating the financial impact of a third-party breach is critical for executive decision making * How security leaders translate cyber risk into dollars, euros, or pounds * Why “something bad could happen” is not enough to justify cybersecurity investment * The difference between precision and usefulness when modeling cyber risk * How risk quantification helps prioritize vendors and third-party exposures * Why boards and executives respond better to financial risk than technical risk language Don’t risk letting third-party cyber risk remain invisible to leadership. Learn how to calculate the real financial impact of a third-party breach and turn risk conversations into decisions that protect your organization. 0:00 Introduction & Teaser 0:50 Welcome & Episode Overview 2:01 Guest Introduction: Jack Jones & the Origin of FAIR 7:17 Challenges to Implementing Risk Quantification 10:57 Wrap-Up with Jack Jones 11:23 Calculating Financial Impact of a Third-Party Breach 25:54 Precision vs. Accuracy in Risk Models 30:01 Research Roundup: Cybersecurity Outlook 2026 36:44 Agree or Disagree 39:41 Outro & Next Episode Preview

Vendor Sprawl Is Out of Control (Here’s How the Best Teams Fix It)

Vendor sprawl is out of control, and most organizations have far more third-party vendors than they realize. In this episode, Jeffrey Wheatman, Bob Maley, and Ferhat Dikbiyik unpack the growing problem of vendor sprawl and why it has quietly become one of the biggest sources of cyber risk. If your organization relies on dozens or hundreds of third parties, this conversation will help you understand how vendor sprawl creates hidden exposure and what the best teams are doing to manage it. As companies adopt more SaaS tools, cloud services, AI platforms, and specialized vendors, visibility and control become harder to maintain. Jeffrey, Bob, and Ferhat break down how vendor sprawl happens, why simply adding more tools does not solve the problem, and how leading security and risk teams are changing their approach to third-party risk management. From rogue applications to overlapping tools and hidden dependencies, this episode explores practical strategies for regaining visibility and prioritizing the vendors that actually matter. In this episode, you’ll learn: * Why vendor sprawl is accelerating across modern organizations * How hidden third parties introduce unexpected cyber risk * The difference between vendor visibility and real vendor risk management * Why adding more tools can sometimes make the problem worse * Practical ways security teams are prioritizing the vendors that matter most * How AI and automation are changing third-party risk management Don’t risk letting vendor sprawl quietly expand your attack surface. Learn how leading teams are taking back control before hidden vendor risk becomes the next breach.

What You Should NEVER Automate in Risk Programs

TPCRM automation is rapidly becoming a priority for risk teams, but automating the wrong things can quietly increase exposure instead of reducing it. In this episode, Jeffrey Wheatman, Bob Maley, and Ferhat Dikbiyik unpack the reality of TPCRM automation and what you can safely automate versus what should never be automated inside a third-party cyber risk program. If you are responsible for managing vendors, cyber risk, or compliance, this conversation will challenge the assumption that more automation always leads to better outcomes. Automation promises speed and efficiency, but when organizations automate processes they do not fully understand, they often end up accelerating broken workflows and hiding critical risk signals. The hosts break down where automation truly helps risk teams scale and where human judgment, visibility, and traceability must remain at the center of decision-making. In this episode, you will learn: * What TPCRM automation actually means and why many programs misunderstand it * The biggest mistake organizations make when automating risk workflows * Why automating a broken process makes risk programs worse * Where automation can genuinely improve efficiency in TPCRM programs * The decisions that should never be fully automated * Why visibility and traceability matter when AI and automation are involved Don’t risk automating the wrong parts of your cyber risk program. Learn how to apply TPCRM automation the right way before it creates new blind spots.