The pressure to appear ‘secure’

Third parties operate in competitive environments where demonstrating security maturity has become a commercial necessity. Suppliers therefore face implicit pressure to present themselves as operationally robust, even when controls may still be evolving or inconsistently applied.

As a result, self-assessment questionnaires and maturity declarations can sometimes reflect aspirational practices rather than actual control effectiveness. Cultural factors reinforce this dynamic when internal teams feel compelled to align responses with contractual commitments or service-level agreements (SLAs).

The organisations issuing these questionnaires typically do so in a standardised format designed to streamline the process, recognising they may not have the capacity to review large volumes of supporting evidence or conduct detailed follow-ups with every supplier.

Consequently, customer organisations often rely heavily on declared security postures unless assurance processes include operational validation along with documentation.

Third-party providers may also feel pressure to avoid disclosing operational weaknesses, particularly when doing so could threaten contractual relationships. Without evidence-based validation or contractual audit rights, responses to control-maturity questionnaires may present an overly optimistic view of the security posture.

Ransomware and asymmetric exposure in third-party relationships

Ransomware has become the dominant third-party cyber risk scenario for many organisations. Suppliers often serve as a more accessible point of compromise, particularly when security investment and maturity differ significantly between the customer and the provider.

Compromising a single supplier can also provide attackers with access to multiple client environments, creating the potential for widespread disruptions or simultaneous extortion across several organisations.

The challenge is not purely technical. Cultural and behavioural dynamics also play a part. Suppliers may hesitate to disclose emerging threats or early-stage incidents due to concerns about reputational harm, commercial repercussions, or contractual penalties. At the same time, customer organisations may implicitly expect suppliers to resolve issues independently until escalation becomes unavoidable.

This dynamic discourages early transparency, even though earlier collaboration could significantly reduce the impact of incidents.

In practice, ransomware exposure in third-party relationships can manifest in several ways: service outages, attackers pivoting through trusted connections, weak recovery capabilities, or delayed incident disclosure driven by fear of contractual consequences.

Encouraging more open information sharing requires organisations to move beyond purely compliance-driven oversight to shared risk ownership. Maturity-based assessments, collaborative exercises, shared threat intelligence, and environments that encourage early disclosure all contribute to stronger relationships and greater resilience.

Criticality, certification and misplaced assurance

Tiering suppliers by criticality is a common feature of mature TPRM programmes. Certifications and third-party attestations are frequently used as indicators of security maturity within these tiers.

However, certifications are ultimately interpreted and implemented by individuals. The presence of a recognised standard can therefore create a sense of assurance that does not always reflect the real risk associated with a specific service, environment, or delivery model. Over time, this can lead to reduced scrutiny of suppliers whose formal credentials appear strong, even when operational exposure remains significant.

A graduated approach to attestation enables suppliers to provide assurance proportional to their criticality. Subsequently, high-impact suppliers must demonstrate stronger control maturity and provide more substantial supporting evidence, while lower-criticality suppliers are subject to proportionately lighter assurance requirements. This tiered approach aligns oversight with risk while avoiding unnecessary burden on smaller vendors.

Relationships, legacy, and reduced scrutiny

Long-standing supplier relationships, particularly those supported by strong personal connections at senior levels, often benefit from a degree of trust not afforded to newer providers. Over time, this trust can reduce the frequency or depth of security scrutiny.

This rarely reflects deliberate negligence. Instead, it demonstrates how human relationships influence organisational behaviour. Although governance frameworks may mandate consistent oversight, in practice, scrutiny is seldom applied uniformly across all suppliers.

Legacy contracts can further increase exposure. Many were written before today’s cyber, operational, and regulatory expectations existed and therefore lack modern security clauses, clear incident-reporting requirements, defined recovery obligations, or meaningful audit rights. These gaps can leave organisations with limited leverage during an incident.

A clear example occurred in mid-2023 when a zero-day vulnerability in MOVEit Transfer, a widely used secure file-transfer product, was exploited by the Clop ransomware group. Attackers breached servers operated by hundreds of service providers, exposing sensitive data belonging to thousands of organisations that had no direct relationship with the compromised software.

“The greatest enemy of knowledge is not ignorance, it is the illusion of knowledge.” — Daniel J. Boorstin.

The continued presence of third-party cyber risk does not necessarily indicate that frameworks are ineffective. Instead, it highlights how behavioural dynamics and organisational incentives shape how those frameworks operate in practice.

Many of the most significant drivers of exposure sit outside formal processes and control structures. For boards and senior leaders, it is essential to recognise that human behaviour fundamentally shapes the effectiveness of third-party risk management.

Part 2 will explore how these behavioural dynamics influence real-world resilience when critical third parties experience cyber incidents or operational disruptions.

Why the threat is no longer theoretical

For many years, cyberattacks were seen as a problem primarily affecting large corporations with high public profiles. That perception has changed.

Today, research shows that more than 40% of cyberattacks in Europe target SMEs, and that up to 38% of small businesses have experienced a cyber scam or incident. What’s driving this shift is not a sudden surge of large-scale, custom attacks, but rather highly automated, scalable techniques that target common vulnerabilities found across many organisations.

What’s also striking is how professional cybercrime has become. Analysts estimate the global cybercrime economy to be worth multiple trillions of euros annually, on par with some legitimate industries. Many criminal groups now operate almost like corporate entities, complete with technical teams and even “support” channels to assist victims in paying ransoms – a clear indicator that this is a market-driven criminal enterprise with real financial incentives.

Healthcare and professional practices: high stakes, high risk

The risk is particularly acute for healthcare and professional practices that handle sensitive personal, medical data and financial data. In the EU, robust data protection frameworks, such as the GDPR, impose legal obligations on organisations to safeguard personal information. But beyond regulatory compliance, there’s something even more vulnerable at stake: trust.

Imagine this scenario: a ransomware attack encrypts patient records or blocks access to core systems, forcing the rescheduling of appointments and halting communications. The immediate operational disruption is costly, as backups may also be encrypted, and the data is permanently lost. But the reputational damage can take years to repair as customers transfer to another practice to seek treatment.

European research further suggests that many SMEs believe a serious cyber incident could threaten their business survival if systems were down for more than a few days, and that organisations that rely on continuous access to client records and scheduling systems face outsized consequences from even short disruptions.

How cyberattacks actually start

Despite the high-level discussions about cybercrime syndicates and ransomware, most attacks affecting small organisations begin with surprisingly simple entry points:

Such entry points could be as simple as a convincing phishing email or a stolen password that slips past busy reception staff. Once an attacker gets that first foothold, they move fast, resetting access, hijacking email flows, and deploying ransomware or stealing data.

Turning the tide: what small businesses can do today

The good news is that many of the most disruptive cyber incidents are preventable or at least can be mitigated significantly. Small organisations don’t need enterprise-level cybersecurity teams to make meaningful progress; they need well-chosen controls, consistency, and awareness. Here are some of the most effective controls that practices can adopt:

• Backing up your data – keep regular, tested backups (possibly an offline copy) so you can restore quickly if ransomware hits or data gets deleted.
• Protecting your organisation from ‘malware’. Practices MUST use up-to-date endpoint protection and prompt patching to block common malware and prevent its spread across devices. DO NOT USE FREE anti-malware software
• Keeping smartphones (and tablets) safe by enforcing screen locks, auto-updates, and remote wipe, so lost devices or risky apps don’t become an easy entry point into company accounts
• Ensuring all staff have their own individual passwords to protect your data and track access using strong, unique passwords. For sensitive systems (e.g. payment systems) ensure multi-factor authentication is enabled so stolen credentials (passwords) alone aren’t enough
• Avoid phishing attacks – train staff to spot suspicious messages and verify payment or login requests out-of-band, because phishing is still the simplest way attackers get in.

Reframing cybersecurity as business resilience

In 2026, cybersecurity moved from a technical silo to a business imperative. Preparedness now goes hand in hand with competitiveness and trustworthiness. Organisations that treat cybersecurity as a core element of their risk management strategy are better positioned to protect their clients, maintain continuity, and strengthen their reputation.

This is especially true in sectors like healthcare and professional services, where data is both sensitive and indispensable. The goal is not perfection. No system can be completely invulnerable, but it is about moving from reactive firefighting to proactive resilience.

At this stage of digital evolution, cyber risk is a normal part of doing business. The organisations that understand this will be the ones best equipped to thrive not despite cyber threats, but alongside them.

Get in touch to find out how you can protect your business in 2026.

From Frameworks to Reality: The Operationalisation Gap

One of the most persistent challenges organisations face is not a lack of frameworks, standards, or guidance – but the ability to operationalise them effectively, particularly beyond the organisation’s boundaries.

Andrew highlights how third-party risk management remains a weak point for many organisations, especially when commercial pressure overrides security intent:

“Some organisations struggle to implement third-party risk management effectively because due diligence is treated as a one-off onboarding formality, expedited due to pressure from procurement and business owners who are keen to onboard suppliers swiftly. Commercial timelines and delivery urgency put pressure on teams to rush key stages such as triaging suppliers or security assessments and cut corners. This can lead to reduced scrutiny, reliance on self-attestations alone, or acceptance of unresolved security gaps to avoid delaying contracts.”

This challenge is often rooted in mindset. When third-party risk is framed as a hurdle to overcome rather than an ongoing business risk, meaningful assurance quickly erodes:

“This occurs when third-party risk is viewed as an initial ‘checkbox exercise’ rather than an ongoing business risk that can evolve over time. This results in organisations entering relationships with limited visibility of actual control maturity and little leverage once contracts are signed.”

As regulatory scrutiny increases and supply chains become more interconnected, this approach is becoming increasingly unsustainable. Andrew points to a more integrated path forward – one that aligns commercial objectives with security outcomes:

“Organisations can address this by aligning procurement incentives with risk outcomes, including minimum security and resilience requirements in contracts before granting access or sharing data, and embedding ongoing monitoring and assurance throughout the supplier lifecycle.”

In 2026, organisations that fail to embed this thinking into procurement and supplier governance are likely to find themselves exposed not just operationally, but also reputationally and regulatorily.

Maturity Is Built on Measurement, Not Maturity Models

While third-party risk highlights execution gaps, Dan’s perspective refocuses the discussion on foundations. As cyber security programmes grow in scope and complexity, maturity is less about adopting the latest tool or framework and more about establishing repeatable, measurable control environments.

Dan’s advice to organisations looking to mature their cyber security posture is clear:

“Ensure you establish strong foundations of control and measurement which will enable you to define, implement and measure incremental improvement.”

For organisations still early in this journey, he outlines a pragmatic and scalable approach:

“Start by establishing a control library that works for the scale and complexity of your organisation.”

“Use one of the established recognised frameworks (NIST CSF, ISO, ISF SOGP etc.) as the basis for your library and augment and configure controls as needed – but keep it as simple as possible.”

However, controls alone are not enough. Ownership, engagement, and governance are what turn documentation into operational resilience:

“Define clear ownership of controls and engage proactively with stakeholders to ensure owners are ‘bought in’ to the approach.”

Measurement then becomes the enabler of informed decision-making:

“Define measures for the key subset of controls you need to monitor on a regular basis.”

“Establish a framework for assessment of actual performance against the control baseline.”

Crucially, Dan stresses sustainability, a theme that will only grow in importance as cyber programmes expand:

“Implement control maintenance, monitoring and assessment processes that you’re equipped to handle. Consider assessing a subset of controls on a quarterly basis to minimise the burden on contributors.”

And finally, maturity must connect back to leadership and business outcomes:

“Establish cadence with senior management using a style and terms that they can become familiar with and support – with investment in improvement linked to business outcomes.”

By 2026, organisations that cannot clearly demonstrate how cyber controls perform and how that performance links to risk and value will struggle to justify investment or regulatory confidence.

The Role of AI in Cyber Security, Assurance and Risk Management

CRMG Co-Founder Simon adds another dimension to the conversation – one that many organisations are actively exploring, often with a mixture of optimism and uncertainty: the role of artificial intelligence in cyber security, assurance, and risk management.

“Like many, I have mixed emotions about AI. There’s excitement around its potential and what it could mean for CRMG, alongside a sense of FOMO. At the same time, I worry about inflated claims that position AI as the answer to our cyber security woes, and about what it’s really doing at a time when integrity already feels in short supply. AI can help streamline the mechanistic elements of cyber-related audit, assurance, and risk management without significant controversy. Things like minute-taking (subject to straightforward verification), audit interview support, and creating templated reports based on clear, bucketed and verified content are sensible use cases.”

However, when it comes to risk judgement and prioritisation, Simon is clear that AI remains no substitute for human experience.

“Risk contextualisation is an area where AI is currently no replacement for a seasoned risk practitioner or an engaged business stakeholder. Business context and potential impact aren’t static, and they’re critical in turning a control weakness into a prioritised risk. That’s a dimension AI will struggle with, unless it has access to large, verified data sets around impact and loss trends over time.”

He also highlights the need for caution when using AI to draw conclusions about control effectiveness.

“AI’s ability to infer the extent of control implementation from operational data should always be treated with care and must be verified. While it may be able to spot trends a human would struggle to identify, this is closer to advanced data analytics than something entirely new. The key is access to large, reliable data sets and proven techniques.”

For Simon, the most important mindset shift is how AI is positioned within organisations.

“Think of AI as a novice that needs nurturing, support, and challenge. It should never be relied upon alone. The conundrum is that AI used in assurance has to be assured. The AI used to assure the AI that is used to assure also has to be assured!”

Simon is clear that his views are not fixed, and recognises the challenge ahead.

“In a world where Shadow AI risks becoming the new Shadow IT, that’s a lot easier said than done. The upside is that there are some very big brains working in this space and we’ll need them.”

The Professionalisation of Cyber Security: A Shift Few Are Talking About

While operational maturity and governance dominate many cyber discussions, CRMG Co-Founder Nick Frost highlights a more structural change beginning to surface – one that could reshape the industry itself.

Looking ahead to 2026, he points to the growing momentum behind licensing parts of the cybersecurity profession:

“One of the most significant shifts beginning to surface in 2026 is the move towards licensing parts of the cybersecurity profession. Whilst countries – such as Singapore, Ghana, Malaysia – have started movements in this area, it is still at an early stage.”

The rationale behind this shift is becoming increasingly difficult to ignore (need to check below – does it make sense as I don’t want to edit too much of Nicks response but not sure if my editing is making it not make sense):

“Professions that are subjected to licensing for a reason – when poor decisions or sloppy workmanship might result in widespread harm. Cybersecurity now sits squarely in that category.”

As cyber roles continue to influence critical infrastructure, public trust, and national resilience, expectations around accountability are rising:

“Cyber roles increasingly influence public trust, critical infrastructure, the health of individuals, and even national resilience. Yet you could argue that entry standards and accountability remain relatively low.”

Licensing is not about restricting the profession wholesale, but about recognising the risk attached to certain roles:

“Licensing won’t apply to every cyber role overnight, but for certain critical positions it offers a clear way to raise minimum standards, improve consistency, and introduce real accountability.”

Nick’s conclusion reflects a broader trajectory facing the industry:

“As cyber risk continues to scale, regulation will inevitably follow, and licensing is a natural next step in the professionalisation of cybersecurity.”

By 2026, this shift could have profound implications – not just for practitioners, but for organisations hiring, governing, and relying on cyber expertise