A mythological explanation of the world states that the flat earth rests on the back of a giant turtle, which itself rests on the back of an even larger turtle. That turtle rests on a still larger turtle, and so on, forever.
Third-party risk management is like the epistemological stack of world turtles: each organization obtains goods and services from yet other organizations, and so on with no apparent end. All organizations are at least partly dependent upon others for goods or services essential for delivering goods or services to their customers.
So, where does it all end? Depending upon the industry and the criticality of individual goods or services, third party risk management generally vets critical vendors, and determines whether those vendors have effective third party risk management programs.
We’re all in this together.
— excerpt from an upcoming book on information security management