Third Party Risk Reporting to the Board of Directors
Quite frequently, security professionals ask us, "How do I report our third party risk posture & progress to our BoD?"
We receive this question from both "assessors" and "assessees". "Assessees" want to make sure they are not slowing down new deals or putting current relationships at risk. "Assessors" want to show risk reduction from their ecosystem of third parties.
Since we know the BoD doesn't want a lot of detail, what does the group find to be the one most important metric to add to the deck?