Third Party

Third Party
  • 5.0 (5)
  • TECHNOLOGY
  • UPDATED BIWEEKLY

If you manage third-party cyber risk, you’ve seen it all: meaningless scorecards, black-box tools, and endless frameworks that never quite connect to business impact. Third-Party is the podcast built for the people behind the dashboards. The ones managing 5,000 vendors with a team of three. Hosted by Jeffrey Wheatman, Ferhat Dikbiyik, and Bob Maley, this show unpacks what actually works (and what doesn’t) in TPRM. No fear tactics. No buzzwords. Just unfiltered conversations, sharp insights, and the occasional roast of a really bad SIG questionnaire.

  1. 7H AGO

    Why Automation Is Creating More Cyber Risk

    Automation vs Accuracy in TPCRM is one of the biggest challenges in modern third-party risk management. In this episode, we break down how the push for faster automation is impacting accuracy, and what that means for your TPCRM program. If you’re relying on automation to scale vendor risk assessments, this conversation will help you avoid costly blind spots and make smarter decisions. Jeffrey Wheatman, Bob Maley, and Ferhat Dikbiyik unpack the real tradeoffs between speed and accuracy in TPCRM, exploring how automation can both strengthen and weaken your risk posture. They discuss the dangers of over-relying on data, where AI-driven decisions fall short, and why human judgment still plays a critical role in identifying real risk. This episode is essential for anyone responsible for vendor risk, cybersecurity, or compliance who wants to scale effectively without sacrificing confidence in their decisions. In this episode, you’ll learn: How automation in TPCRM can unintentionally increase risk The hidden tradeoffs between speed and accuracy in vendor assessments Why more data doesn’t always lead to better decisions Where AI and algorithms fall short in real-world risk scenarios How to balance automation with human judgment for better outcomes Practical ways to improve visibility and decision-making in your TPCRM program Don’t risk scaling bad decisions faster. Learn how to balance automation and accuracy to protect your business.

    34 min

  2. APR 22

    How to Calculate the Real Cost of a Third-Party Breach

    Calculating the real financial impact of a third-party breach is one of the hardest challenges in cybersecurity today. In this episode, Jeffrey Wheatman, Bob Maley, and Ferhat Dikbiyik explore how organizations can move beyond vague warnings about risk and start putting real numbers behind the potential cost of a third-party breach. If you want security leaders, executives, and boards to take third-party cyber risk seriously, you need to understand how to quantify its financial impact. Many security teams still rely on qualitative risk language like “high,” “medium,” or “critical,” but those labels rarely drive action. Jeffrey, Bob, and Ferhat break down why calculating the financial impact of a third-party breach is essential for communicating with executives, prioritizing vendors, and securing the right investments in risk management. From understanding uncertainty to building models that are accurate enough to guide decisions, this conversation offers practical insight into how leading teams estimate breach costs and translate cyber risk into business language. In this episode, you’ll learn: Why calculating the financial impact of a third-party breach is critical for executive decision making How security leaders translate cyber risk into dollars, euros, or pounds Why “something bad could happen” is not enough to justify cybersecurity investment The difference between precision and usefulness when modeling cyber risk How risk quantification helps prioritize vendors and third-party exposures Why boards and executives respond better to financial risk than technical risk language Don’t risk letting third-party cyber risk remain invisible to leadership. Learn how to calculate the real financial impact of a third-party breach and turn risk conversations into decisions that protect your organization. 0:00 Introduction & Teaser 0:50 Welcome & Episode Overview 2:01 Guest Introduction: Jack Jones & the Origin of FAIR 7:17 Challenges to Implementing Risk Quantification 10:57 Wrap-Up with Jack Jones 11:23 Calculating Financial Impact of a Third-Party Breach 25:54 Precision vs. Accuracy in Risk Models 30:01 Research Roundup: Cybersecurity Outlook 2026 36:44 Agree or Disagree 39:41 Outro & Next Episode Preview

    40 min

  3. APR 8

    Vendor Sprawl Is Out of Control (Here’s How the Best Teams Fix It)

    Vendor sprawl is out of control, and most organizations have far more third-party vendors than they realize. In this episode, Jeffrey Wheatman, Bob Maley, and Ferhat Dikbiyik unpack the growing problem of vendor sprawl and why it has quietly become one of the biggest sources of cyber risk. If your organization relies on dozens or hundreds of third parties, this conversation will help you understand how vendor sprawl creates hidden exposure and what the best teams are doing to manage it. As companies adopt more SaaS tools, cloud services, AI platforms, and specialized vendors, visibility and control become harder to maintain. Jeffrey, Bob, and Ferhat break down how vendor sprawl happens, why simply adding more tools does not solve the problem, and how leading security and risk teams are changing their approach to third-party risk management. From rogue applications to overlapping tools and hidden dependencies, this episode explores practical strategies for regaining visibility and prioritizing the vendors that actually matter. In this episode, you’ll learn: Why vendor sprawl is accelerating across modern organizations How hidden third parties introduce unexpected cyber risk The difference between vendor visibility and real vendor risk management Why adding more tools can sometimes make the problem worse Practical ways security teams are prioritizing the vendors that matter most How AI and automation are changing third-party risk management Don’t risk letting vendor sprawl quietly expand your attack surface. Learn how leading teams are taking back control before hidden vendor risk becomes the next breach.

    39 min

  4. MAR 25

    What You Should NEVER Automate in Risk Programs

    TPCRM automation is rapidly becoming a priority for risk teams, but automating the wrong things can quietly increase exposure instead of reducing it. In this episode, Jeffrey Wheatman, Bob Maley, and Ferhat Dikbiyik unpack the reality of TPCRM automation and what you can safely automate versus what should never be automated inside a third-party cyber risk program. If you are responsible for managing vendors, cyber risk, or compliance, this conversation will challenge the assumption that more automation always leads to better outcomes. Automation promises speed and efficiency, but when organizations automate processes they do not fully understand, they often end up accelerating broken workflows and hiding critical risk signals. The hosts break down where automation truly helps risk teams scale and where human judgment, visibility, and traceability must remain at the center of decision-making. In this episode, you will learn: What TPCRM automation actually means and why many programs misunderstand it The biggest mistake organizations make when automating risk workflows Why automating a broken process makes risk programs worse Where automation can genuinely improve efficiency in TPCRM programs The decisions that should never be fully automated Why visibility and traceability matter when AI and automation are involved Don’t risk automating the wrong parts of your cyber risk program. Learn how to apply TPCRM automation the right way before it creates new blind spots.

    38 min

  5. MAR 11

    Is Cybersecurity Regulation Actually Dangerous?

    Is cybersecurity regulation actually dangerous? In this episode, we examine whether cybersecurity regulation is improving real security or quietly making organizations less safe. If you have ever wondered whether compliance helps or hurts your defenses, this conversation breaks down what cybersecurity regulation gets right, where it fails, and how leaders should think about risk beyond checklists. In this episode of Third Party, hosts Jeffrey Wheatman, Bob Maley, and Ferhat Dikbiyik debate the regulation paradox facing modern security teams. They explore when compliance drives better risk management, when it becomes a dangerous distraction, and why outdated or overly prescriptive rules can pull focus away from real threats. The discussion covers audits, fines, regulatory fragmentation, and the growing gap between fast moving technology and slow moving regulation. What this episode covers: Whether cybersecurity regulation actually improves security outcomes How compliance can become a checkbox that misses real risk When regulation helps CISOs secure budget and attention Why outdated and overly prescriptive rules can increase exposure The difference between managing audits and managing real risk Don’t risk confusing compliance with protection. Learn how to think critically about cybersecurity regulation and focus on what actually makes organizations safer before regulation becomes a liability instead of a safeguard.

    56 min

  6. FEB 25

    The Real Meaning of “C” in TPCRM

    What puts the “C” in TPCRM? As third-party risk management evolves, leaders are asking what the “C” in TPCRM really means, and why cyber risk now has an outsized impact on every other risk. We unpack what puts the “C” in TPCRM, why cyber is more than a checkbox, and how misunderstanding it can quietly put your entire business at risk. In this episode of Third Party, hosts Jeffrey Wheatman, Bob Maley, and Ferhat Dikbiyik break down the shift from traditional TPRM to TPCRM and explain why cyber risk can’t be treated as just another compliance item. From operational disruption and resilience to cascading supply-chain failures, the conversation explores how cyber risk intersects with financial, operational, and enterprise risk, and why boards and executives need a clearer, more connected view. What this episode covers: What the “C” in TPCRM actually stands for… and what it doesn’tWhy cyber risk isn’t just about data breaches or complianceHow cyber creates cascading impact across operations, finance, and supply chainsWhy treating cyber as a point-in-time risk leaves organizations exposedHow leaders should think about cyber in business and boardroom termsDon’t risk treating cyber as a checkbox while it quietly drives your biggest exposures. Learn how to understand the real “C” in TPCRM and protect your business before cyber risk turns into operational and financial damage.

    42 min

  7. FEB 11

    Whose Breach Is It Anyway?

    Whose Breach Is It Anyway? When a vendor gets breached and data is exposed, whose breach is it anyway, and who actually pays the price? In this episode, we break down why finger-pointing after every breach is becoming the default response and what that means for real security outcomes. You’ll learn how shared data creates shared damage, and how leaders can respond smarter when third-party risk becomes a crisis. In this episode of Third Party, hosts Jeffrey Wheatman, Bob Maley, and Ferhat Dikbiyik dig into the uncomfortable truth behind vendor breaches, accountability, and transparency. From supply-chain incidents to public disclosure, they explore why blame doesn’t fix breaches. And what actually helps organizations recover, protect customers, and reduce future risk. What this episode covers: Why “whose breach is it anyway” is the wrong question—and the better ones to ask How finger-pointing delays response and increases long-term damage The hidden risks of third-party and supply-chain breaches When transparency helps—and when it can backfire Who ultimately bears the cost of a breach: vendors, companies, or customers Don’t risk repeating the same mistakes after your next vendor incident. Learn how to move past blame, protect your customers, and respond to breaches the right way…before shared damage becomes permanent damage.

    43 min

  8. JAN 28

    The Biggest Lie in Cybersecurity

    Who owns cyber risk in third-party relationships? In this episode of Third Party, we tackle one of the most urgent questions facing security leaders today: who is actually accountable for third-party risk when something goes wrong? If you’re a CISO, risk leader, or executive trying to avoid blame, regulatory fallout, or career-ending mistakes, this conversation delivers clarity you can act on immediately. Hosted by Jeffrey Wheatman, Bob Maley, and Ferhat Dikbiyik, this episode breaks down the real difference between ownership, responsibility, and accountability in third-party cyber risk. The hosts unpack why CISOs are often blamed for risks they don’t own, how boards and executives should be involved, and why documenting risk decisions matters more than ever as regulators and courts increase scrutiny. This discussion explains how misaligned risk ownership leads to firings, fines, and failures—and how to prevent that inside your organization. What you’ll learn in this episode: How to define ownership vs. accountability in third-party cyber riskWhy CISOs should inform risk, not silently absorb itWho actually owns financial risk when vendors failHow to document risk acceptance so it doesn’t come back on youWhy regulators and boards are forcing clearer risk decisionsHow to communicate third-party risk in business and financial termsDon’t risk being the one blamed when a third party breaches your ecosystem. Learn how to clearly assign ownership, document accountability, and protect both your organization and your career—before the next incident forces the issue.

    40 min
See All (17)

Trailer

Ratings & Reviews

5
out of 5
5 Ratings

About

If you manage third-party cyber risk, you’ve seen it all: meaningless scorecards, black-box tools, and endless frameworks that never quite connect to business impact. Third-Party is the podcast built for the people behind the dashboards. The ones managing 5,000 vendors with a team of three. Hosted by Jeffrey Wheatman, Ferhat Dikbiyik, and Bob Maley, this show unpacks what actually works (and what doesn’t) in TPRM. No fear tactics. No buzzwords. Just unfiltered conversations, sharp insights, and the occasional roast of a really bad SIG questionnaire.

Information

  • Creator
    Third Party
  • Years Active
    2025 - 2026
  • Episodes
    17
  • Rating
    Clean
  • Copyright
    © Third Party
  • Show Website
    Third Party