I get it for network architecture. I get it for strong authentication. I get it for making sure I am not a robot (not, by the way). But I have to trust my partners.
So when it comes to third party risk management, I refuse to accept that my relationships begin with the assumption that all my third parties are tools of the hackers until proven otherwise.
Risk assessment of third parties has to be a conversation with my third parties, not an interrogation. And, certainly I understand that most relationships are asymmetrical. Maybe they’re bigger than me and can just post their certifications and never answer my questions. Maybe they’re really small and will never have a CISO; hell they may not even be big enough to have a full time IT staff.
But the “zero trust/remember Target’s HVAC vendor/weakest link” conversation removes Security from the business and that carries with it its own risks.