Checkbox Assessments Aren't Fit to Measure to Risk TechTarget and Informa Tech’s Digital Business Combine.TechTarget and InformaTechTarget and Informa Tech’s Digital Business Combine.Together, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities.Dark Reading Resource LibraryBlack Hat NewsOmdia CybersecurityAdvertiseNewsletter Sign-UpNewsletter Sign-UpCybersecurity TopicsRelated TopicsApplication SecurityCybersecurity CareersCloud SecurityCyber RiskCyberattacks & Data BreachesCybersecurity AnalyticsCybersecurity OperationsData PrivacyEndpoint SecurityICS/OT SecurityIdentity & Access Mgmt SecurityInsider ThreatsIoTMobile SecurityPerimeterPhysical SecurityRemote WorkforceThreat IntelligenceVulnerabilities & ThreatsRecent in Cybersecurity TopicsСloud SecurityLatAm Vibe Hackers Generate Custom Hacking Tools on the FlyLatAm Vibe Hackers Generate Custom Hacking Tools on the FlybyAlexander CulafiMay 13, 20265 Min ReadApplication SecurityIt's Patch Tuesday for Microsoft & Not a Zero-Day In SightIt's Patch Tuesday for Microsoft & Not a Zero-Day In SightbyJai VijayanMay 12, 20265 Min ReadWorld Related TopicsDR GlobalMiddle East & AfricaAsia PacificLatin AmericaSee AllThe EdgeDR TechnologyEventsRelated TopicsUpcoming EventsPodcastsWebinarsSEE ALLResourcesRelated TopicsResource LibraryNewslettersPodcastsReportsVideosWebinarsWhite Papers Partner PerspectivesDark Reading Resource LibraryCyber RiskCybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know.Checkbox Assessments Aren't Fit to Measure to RiskSecurity governance needs to be more than an annual compliance exercise. New companies are emerging to address risk-management gaps in current audit tools.Arielle Waldman,Features Writer,Dark ReadingMay 13, 20265 Min ReadSource: Andriy Popov via Alamy Stock PhotoA rapidly evolving threat landscape with highly adaptable and increasingly sophisticated threat actors is no place for checkbox compliance assessments that merely audit organizations' security postures once a year. That's why security professionals and industry experts are calling for compliance models that take a more continuous approach, and more companies continue to emerge in the space. Industry leaders and CISOs continually poke holes in the way governance, risk management, and compliance (GRC) and third-party risk management (TPRM) assessments are conducted – and the holes are only growing bigger. Yearly assessments, with their static questionaries to determine an organization's risk level, are stagnant, the polar opposite of how attackers' behave. Threat actors can now find and exploit vulnerabilities faster and discover new vectors to conduct supply-chain attacks. When the compliance industry started, assessments mirrored finance industry models – a yearly audit to determine if companies met objectives and obligations, explains Sravish Sridhar, TrustCloud CEO and founder. Related:Research Hub Bridges Cybersecurity Gap for Under-Resourced Organizations"Attackers weren't worldwide and trying to infiltrate you from every angle," warns Sridhar.Old models were fine when IT changes and IT fragmentation happened slower. But now the pace is accelerating faster than most can handle, he adds. TrustCloud’s 2,000 customers range from pharmaceutical and healthcare to government and manufacturing.With the static, check-the-box approach, a vendor can be fully compliant on paper with their third-party program and still introduce meaningful risk into the business, warns Lamont Atkins, partner and McKinsey and Company. Atkins has also observed CISOs move decisively away from questionnaire-driven checkbox compliance models toward a more continuous and evidence-based assurance. Modern TPRM platforms continuously emerge to monitor vendors for vulnerabilities, misconfigurations, and breach signals, versus relying on static questionnaires, and use artificial intelligence (AI) to analyze those signals and assess risk, explains Swee Khan Goh, Omdia research analyst. He singled out Upguard, BitSight, and OneTrust as three companies doing well in this space.'It's Not a Predictor of Risk Whatsoever' While launching TrustCloud, Sridhar heard from CISOs that GRC stood for "government, risk, and check the box."  They told him that we live in a world where vulnerabilities and risk are growing higher and higher, and compliance obligations are getting larger due to all the regulations.Related:Electricity Is a Growing Area of Cyber-RiskWhen he asked CISOs for a better alternative, they described a continuous monitoring engine with graphs that connect all the interdependencies in their businesses, looking at every node and validating if it is operating effectively, he says. "It was an 'Aha' moment for us, " Sridhar tells Dark Reading. Therefore, he focused development to build a tool for scale and complexity to meet an array of enterprise needs. The new threat landscape left TrustCloud with three main challenges while working on the platform over the last four and a half years. First, they had to develop a tool that could be integrated to fit a variety of enterprise rules and environments. Next, the team had to solve for scale. Companies manage an overwhelming number of assets, including human and non-human identities. Thirdly, every CISO has their own style and Sridhar wanted them to be able to take all the complex data and translate it in a way they want to tell the story.     For example, CISOs need tools for assessments that help them communicate clearly to the board and leadership, whether that board lacks technical expertise or is more risk-focused compared to others. Sridhar factored those needs in, knowing how important it is for CISOs to elicit emotion during presentations to the board and leadership who oversee the budget and operations.  Related:Lies, Damned Lies, and Cybersecurity MetricsHe wanted the board to "react to the results" whether in a positive way, or perhaps with more anxiety if the assessment results spotted trouble. CISOs also need a way to prove more tangible data, like how are they contributing to revenue, business acceleration, or to reduce financial risks, adds Sridhar.   "The current compliance process is useless in most companies," Sridhar says. "A light security questionnaire – it's not a predictor of risk whatsoever." Change the Model, Change the MindsetTo create a model that can keep up with today's threat landscape, Atkins urged companies to leverage TPRM platforms that provide ongoing visibility into attack surface, security posture, and incident signals.  Some organizations are using AI to streamline questionnaires, but they can also leverage it to reduce reliance on questionnaires altogether by automating evidence collection, mapping controls across frameworks, and identifying gaps in real time, he adds. He advised companies to ask themselves three main questions: Which suppliers truly underpin critical operations? Which are hidden concentration risks? And what is the operational blast radius if a key vendor fails? "That's a fundamentally different mindset from traditional compliance-driven TPRM," Atkins tells Dark Reading. "To take the advantage, we must encourage a convergence between third-party risk management and attack surface management, as well as a broader reframing of TPRM as a component of enterprise resilience, not just a procurement or compliance function."CISOs don't want to know whether a vendor claims to have a control: They want to understand how a failure would impact critical business processes, says Optiv CISO, Rob Gregory. Another notable shift Gregory observed is toward scenario-based risk analysis, which helps security leaders prioritize what matters versus treating all findings as equal, he adds. "AI‑assisted analysis is also starting to mature, especially in translating technical risk into clear, board‑level narratives," Gregory tells Dark Reading. "Vendors that can support continuous insight, automation, and business context are the ones resonating most with experienced CISOs."As risks expand and attackers' leverage more advanced tooling, the space is bound to keep evolving. But the most important aspect of risk assessment will remain: Building trust between security teams and stakeholders. And that extends to consumers as well. "Trust doesn't imply that you're perfect," Sridhar says. "Trust implies you will have breaches. You will have anomalies. There will always be days in which you have a bad day, but it's how you react and how you own up to it, and how you remediate. That's how you build trust."  About the AuthorArielle WaldmanFeatures Writer, Dark ReadingArielle spent the last decade working as a reporter, transitioning from human interest stories to covering all things cybersecurity related in 2020. Now, as a features writer for Dark Reading, she delves into the security problems enterprises face daily, hoping to provide context and actionable steps. She looks for stories that go past the initial news to understand where the industry is going. Her coverage areas include identity and access management, cyber risk and operations, industrial control systems, operational technology, and ransomware trends.    She previously lived in Florida where she wrote for the Tampa Bay Times before returning to Boston where her cybersecurity career took off at SearchSecurity. When she's not writing about cybersecurity, she pursues personal projects that include a mystery novel and poetry collection.   See more from Arielle WaldmanWant more Dark Reading stories in your Google search results?Add Us NowMore InsightsIndustry ReportsHow Enterprises Are Developing Secure ApplicationsInside RSAC 2026: security leaders reveal the risks redefining your defense strategyHow Enterprises Are Harnessing Emerging Technologies in CybersecurityDitch the Data Center: Understanding Flexible Cloud Infrastructure Security Management2025 State of MalwareAccess More ResearchWebinarsWhat is the Right Role for Identity Threat Detection and Response (ITDR) in Your Organization?Your Guide to Securing AI Adoption in Your OrganizationThe New Attack Surface: How Attackers Are Exploiting OAuth to Own Your Cloud WorkspacePrompt Injection Is Just the Start: Securing LLMs in AI SystemsAnatomy of a Data Breach: What to Do if it Happens to YouMore WebinarsEdge PicksApplication SecurityAI Agents in Browsers Light on Cybersecurity, Bypass ControlsAI Agents in Browsers Light on Cybersecurity, Bypass ControlsCyber RiskBrowser Extensions Pose Heightened, but Manageable, Security RisksBrowser Extensions Pose Heightened, but Manageable, Security RisksLatest Articles in The EdgeCyber RiskResearch Hub Bridges Cybersecurity Gap for Under-Resourced OrganizationsMay 5, 2026|4 Min ReadCybersecurity OperationsHelping Romance Scam Victims Requires a Proactive, Empathic ApproachApr 24, 2026|5 Min ReadCyber RiskElectricity Is a Growing Area of Cyber-RiskApr 22, 2026|5 Min ReadVulnerabilities & ThreatsNIST Revamps CVE Framework to Focus on High-Impact VulnerabilitiesApr 16, 2026|4 Min ReadRead More The EdgeWant more Dark Reading stories in your Google search results?Black Hat Asia | Marina Bay Sands, SingaporeExperience cutting-edge cybersecurity insights in this four-day event. Use code DARKREADING for a Free Business Pass or $200 off a Briefings Pass.GET YOUR PASSDiscover MoreBlack HatOmdiaWorking With UsAbout UsAdvertiseReprintsJoin UsNewsletter Sign-UpFollow UsCopyright © 2026 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.’s registered office is 275 Grove St. Newton, MA 02466.Home|Cookie Policy|Privacy|Terms of UseYour Privacy Choices

The traditional method of using checkbox compliance assessments for measuring risk is inadequate in the current, rapidly evolving cybersecurity landscape. These static, annual assessments are inherently stagnant and fail to reflect the dynamic and increasingly sophisticated behavior of threat actors, as they do not align with how attackers operate. Security professionals and industry experts are advocating for compliance models that embrace a continuous approach to governance, risk management, and compliance, recognizing that the pace of technological change and the fragmentation of IT environments now accelerate faster than traditional yearly audits can keep up.

Historically, compliance assessments often mirrored models from the finance industry, focusing on a yearly audit to verify adherence to objectives and obligations. However, this approach is insufficient because it does not account for the current reality where threat actors can exploit vulnerabilities and discover new attack vectors at an accelerated rate. Consequently, static questionnaires merely confirming a vendor's paper-based compliance allow for the introduction of significant, unmeasured business risk.

Industry leaders, including Chief Information Security Officers, are shifting away from these questionnaire-driven checkbox models toward evidence-based assurance derived from continuous monitoring. Modern third-party risk management platforms have emerged to address this gap by continuously monitoring vendors for vulnerabilities, misconfigurations, and breach signals, often utilizing artificial intelligence to analyze these signals and assess risk in real time. Researchers have highlighted specific platforms, such as Upguard, BitSight, and OneTrust, as examples of solutions operating effectively in this continuous assurance space.

The emphasis is moving from merely confirming controls to understanding the operational impact of potential failures. Instead of simply asking whether a control exists, security leaders now require tools that provide continuous insight, automation, and crucial business context. This evolution involves a fundamental reframing of third-party risk management, viewing it not just as a procurement or compliance function, but as a critical component of overall enterprise resilience and attack surface management.

To achieve this shift, practitioners are encouraged to adopt a mindset focused on identifying critical dependencies, understanding hidden concentration risks, and calculating the operational blast radius should a key vendor fail. This requires a convergence between third-party risk management and attack surface management. Furthermore, some organizations are leveraging artificial intelligence to automate evidence collection, map controls across various frameworks, and identify security gaps in real time, thereby reducing reliance on manual questionnaires.

Beyond technical controls, the assessment process must incorporate the needs of executive stakeholders. Security leaders require mechanisms to communicate complex risk data clearly to boards and leadership, often needing to elicit emotional context during presentations to influence decisions regarding budget and operations. This involves providing scenario-based risk analysis to help prioritize findings over treating all discovered issues equally. Ultimately, the goal is to transition the focus from simple compliance status to understanding the tangible impact on revenue, business acceleration, and financial risk. Trust is built not on perfect compliance, but on the demonstrated ability of an organization to react effectively to anomalies, own up to failures, and implement effective remediation strategies.