Cyber Means Business: Bob Maley on Why Third-Party Risk Is a Business Problem, Not a Technical One

In this edition of Cyber Means Business, we talk to Bob Maley, Chief Security Officer at Black Kite, to explore one of the most pressing and complex challenges in cybersecurity today: third-party risk. Drawing on more than two decades of experience leading security and risk programs for both government and global enterprises, including PayPal and the Commonwealth of Pennsylvania, Maley argues that managing third-party relationships is far more than a compliance exercise. It’s a business-critical function with direct consequences for an organization’s financial performance, operational continuity, and reputation.

Third parties make modern business possible. From cloud providers and payment processors to marketing platforms and logistics partners, every organization depends on a vast network of external entities to operate efficiently and scale. Yet that same interconnectedness creates significant exposure. A single weak link—a misconfigured vendor system, a compromised supplier, or a partner with lax security controls—can disrupt operations, leak sensitive data, and damage brand trust.

It’s a challenge Bob Maley knows well. With more than two decades of experience leading enterprise security and risk programs, Maley brings a uniquely comprehensive perspective. Before joining Black Kite, a cybersecurity software company focused on third-party cyber risk management in 2019, he built and led PayPal’s global third-party security and inspections program—monitoring hundreds of critical vendors and implementing one of the first continuous third-party risk monitoring systems in the industry. Earlier in his career, he served as Chief Information Security Officer for the Commonwealth of Pennsylvania, establishing statewide security policies and incident response strategies protecting data for more than 11 million residents. Maley also sits on the steering committee for Shared Assessments, a member-driven industry organization focused on third-party risk management (TPRM) where he helps define best practices for vendor risk assurance.

Today, Maley’s helping organizations, and their boards, by equipping them to see third-party risk as a business issue, not just a security one. Through his work at Black Kite, he builds tools and frameworks that tie vendor exposure to financial, operational and reputational consequences; and through his role on the Steering Committee for Shared Assessments, he helps shape industry standards that embed third-party risk into board-level strategy.

Joan Goodchild: You’ve said third-party risk isn’t a technical issue—it’s a business issue. How can CISOs reframe supply-chain security in financial and strategic terms that resonate with the board?

Bob Maley: A lot of CISOs come from technical backgrounds, and when the only tool you have is a hammer, everything looks like a nail. We tend to focus on patching cadences, vulnerabilities, and other technical details. But boards don’t think that way. They think in terms of impact to the bottom line.

Instead of saying, “This vendor has poor patching cadence,” say, “This vendor’s weaknesses increase our likelihood of a business interruption by 10 percent, which could cost $3 million.” That changes the conversation. It helps boards understand the financial stakes and allocate the right resources—budget, insurance, or executive support—to reduce that risk.

Many organizations still treat compliance  with standard security frameworks like ISO 27001, SOC 2 from the American Institute of CPAs, or privacy mandates such as Europe’s GDPR and HIPAA for US health records as the end goal. Is compliance becoming a box-checking exercise, and what’s the cost of that mindset?

Compliance is important, but it’s only a baseline. I’ve seen organizations that were fully compliant and still suffered major incidents—Colonial Pipeline, which suffered a ransomware attack that disrupted fuel delivery across the East Coast in 2021, is a good example. They met all requirements, but a few small missteps created a huge business disruption.

Too often, compliance becomes a safety blanket. People think, “We followed the policy, so we’re fine.” But compliance doesn’t measure business impact. A company can be certified and still be vulnerable if it hasn’t tied those controls to actual risk outcomes. Going beyond that baseline means quantifying how vendor weaknesses translate to real financial exposure, focusing deeply on critical partners rather than checking boxes across thousands, and continuously monitoring for early warning signals instead of waiting for audits.

SolarWinds, the 2020 supply-chain breach in which attackers inserted malicious code into a widely used network-management product, showed how one vendor’s vulnerability can ripple across thousands of organizations. How should companies communicate that cascade effect when discussing enterprise risk?

First, you have to understand your dependencies. It’s not just about your vendors, but your vendors’ vendors. Most CISOs don’t have visibility that far down the chain. You can’t control every supplier, but you can identify the ones that are material to your business.

Once you know which partners are critical, build deeper relationships and continuous monitoring around them. Turn those vendors into partners, not just providers. That means open communication about their own supply-chain risks, sharing telemetry or incident data when possible, and collaborating on how to strengthen resilience on both sides. That’s how you gain leverage and visibility before something like SolarWinds happens again.

With supply chains expanding faster than regulators can keep up, what steps can CISOs take to embed security into core business planning instead of bolting it on later?

It starts with prioritization. If you have 10,000 vendors, you can’t assess them all deeply. But if it’s ten –whether they’re software providers, cloud partners, or key service suppliers – all of them could cost you $100 million, that’s where you focus. Embed risk thinking early in the procurement process, and make sure business leaders understand how those relationships affect resilience.

The earlier security is involved, the more aligned the business will be. Waiting until after contracts are signed just adds cost and complexity.

There’s a lot of talk about AI transforming third-party risk management. What’s hype, and what’s helpful?

I’ve seen vendors claim their AI can automate 100 percent of third-party risk management and eliminate the need for people. That’s a disaster waiting to happen. AI can elevate the process—it can help us analyze faster, correlate signals, and spot anomalies—but it can’t replace human judgment.

We’ll see major evolution in this space over the next year or two, but the smart CISOs will use AI to enhance their programs, not outsource accountability to it.

What’s your call to action for CISOs who want to elevate third-party risk as a business priority?

Stop treating it as a technical checklist. Tie it to the business. Use quantification to translate cyber risk into financial impact, and build partnerships across procurement, finance, and the board. Once leadership understands that third-party risk directly affects revenue and resilience, it stops being a security problem—and becomes a business imperative.