Skip to content
Tech News
← Back to articles

Checkbox Assessments Aren't Fit to Measure Risk

2026-05-13 | original
read original get Risk Assessment Software Tool → more articles
Why This Matters

The article highlights the inadequacy of traditional checkbox assessments in measuring organizational risk amid a rapidly evolving cyber threat landscape. It emphasizes the shift towards continuous, evidence-based compliance models that better reflect real-time vulnerabilities, which is crucial for improving cybersecurity resilience for both industry leaders and consumers. Adopting these modern approaches can significantly reduce the risk of supply chain attacks and other cyber threats.

Key Takeaways

A rapidly evolving threat landscape with highly adaptable and increasingly sophisticated threat actors is no place for checkbox compliance assessments that merely audit organizations' security postures once a year. That's why security professionals and industry experts are calling for compliance models that take a more continuous approach, and more companies continue to emerge in the space.

Industry leaders and CISOs continually poke holes in the way governance, risk management, and compliance (GRC) and third-party risk management (TPRM) assessments are conducted — and the holes are only growing bigger. Yearly assessments, with their static questionnaires to determine an organization's risk level, are stagnant, which is the polar opposite of how attackers behave. Threat actors can now find and exploit vulnerabilities faster and discover new vectors to conduct supply chain attacks.

When the compliance industry started, assessments mirrored finance industry models: a yearly audit to determine whether companies met objectives and obligations, explains Sravish Sridhar, TrustCloud CEO and founder.

Related:Research Hub Bridges Cybersecurity Gap for Under-Resourced Organizations

"Attackers weren't worldwide and trying to infiltrate you from every angle," he says.

Old models were fine when IT changes and IT fragmentation happened slower. But now the pace is accelerating faster than most can handle, he says.

With the static, check-the-box approach, a vendor can be fully compliant on paper with its third-party program and still introduce meaningful risk into the business, says Lamont Atkins, partner at McKinsey. Atkins has also observed CISOs move decisively away from questionnaire-driven checkbox compliance models toward more continuous and evidence-based assurance.

Modern TPRM platforms continuously emerge to monitor vendors for vulnerabilities, misconfigurations, and breach signals, versus relying on static questionnaires, and use artificial intelligence (AI) to analyze those signals and assess risk, explains Swee Khan Goh, Omdia research analyst. He singled out Upguard, BitSight, and OneTrust as three companies doing well in this space.

'It's Not a Predictor of Risk Whatsoever'

While launching TrustCloud, whose 2,000 customers range from pharmaceutical and healthcare to government and manufacturing, Sridhar heard from CISOs that GRC stood for "government, risk, and check the box." They told him that we live in a world where vulnerabilities and risk are growing higher and higher, and compliance obligations are getting larger due to all the regulations.

... continue reading

Explore topics: trustcloud risk management supply chain attacks grc tprm
Related:
Checkbox Assessments Aren't Fit to Measure to Risk
Real Leaders Don’t Just Spot Problems in Their Business — They Own the Fixes. Here’s How.
How Leaders Unintentionally Teach Teams to Hide Risks — and How to Change That
What 25,000 Trades Taught Me About Finding Real Stock Micro-Trends
Prepping for 'Q-Day': Why Quantum Risk Management Should Start Now

© 2026 GoKawiil

About | Editorial Policy | Contact