From Blue Lights to Boardrooms: What Policing Taught Me about Third-Party Risk

For a CISO or a police officer, preparation makes fast, effective decisions possible

By Paul Chadwick

Before I ever sat in a boardroom discussing third-party risk, I spent years as a Chief Inspector in UK policing. My job required making decisions under pressure often with incomplete information, real-world consequences, and no luxury of de

What struck me, when I later began working with CISOs and TPRM teams, was how familiar their challenges felt.

Different environment. Same decision dynamics.

Paul Chadwick is a Senior Sales Engineer in Solutions Architecture for SAFE, based in the UK. Image: Paul in his police days. 

Managing Three Levels of Risk All at Once

In policing, we are trained to operate across operational, tactical, and strategic layers simultaneously.

Picture this:

• Operational:
  I’m driving on blue lights to a live incident. Speed, safety, route choice, and immediate risk to the public are front of mind.
  
• Tactical:
  While driving, I’m issuing orders, allocating officers, deciding whether specialist resources are needed, assessing entry options, and considering legal powers all in real time.
  
• Strategic:
  In parallel, I’m applying the National Decision Model (NDM) weighing legality, proportionality, ethics, public confidence, and longer-term consequences. PESTLE* considerations aren’t theoretical; they shape every command decision.

*(PESTLE = Political, Economic, Social, Technological, Legal and Environmental considerations).

These layers never pause for one another. They stack. They collide. And they demand preparation before the crisis begins. When stress is high and time is low, you fall back on structure, not improvisation.

You rely on:

• Pre-defined decision models and playbooks
• Clear risk thresholds
• Consistent documentation
• Confidence that earlier judgments were sound
  

You don’t invent processes in the moment. You execute.

The CISO in a TPRM Breach Feels Very Familiar

Now replace the incident scene with a third-party breach.

The parallels are striking:

• Operational:
  Alerts firing, vendors calling, systems impacted, executives asking for answers now.
  
• Tactical:
  What data is exposed?
  Which vendor tier is this?
  What contractual controls exist?
  Who owns remediation? Who is the business owner?
  What compensating controls can be applied?
  
• Strategic:
  Regulatory exposure, customer trust, legal implications, board reporting, and long-term risk posture all under scrutiny.
  

Just like policing, CISOs don’t get to deal with these sequentially.
They happen at the same time.

Preparation Is What Makes Speed Possible

When a breach occurs, the CISO is not deciding from scratch. You are relying on:

• Vendor tiering decisions made months earlier
  
• Questionnaires that captured real, relevant controls
  
• Risk acceptance decisions that were deliberate and documented
  
• A shared understanding of what “good” looks like
  

Without that groundwork, every incident becomes chaos.

Burning Down Risk, Not Just Recording It

One of the biggest differences I see between immature and mature TPRM programs is this:

• Immature programs record risk
  
• Mature programs actively burn it down
  

That means:

• Knowing which findings actually matter
  
• Prioritizing remediation based on impact, not volume
  
• Tracking improvement over time
  
• Being able to explain why a vendor is still acceptable — or not
  

This is where platforms like SAFE make a real difference. It is not just another black box.

Not by replacing judgment — but by supporting it.

SAFE as a Decision Enabler, Not a Checkbox Tool

The strongest tools don’t tell you what to think. They make it easier to think well under pressure.

SAFE supports CISOs and TPRM teams by:

• Structuring vendor risk tiering so urgency is clear
  
• Aligning questionnaires to decision-relevant controls
  
• Tracking remediation progress so risk is genuinely reduced
  
• Providing evidence when decisions are questioned later
  

It’s about defensibility.

Can you explain:

• What you knew at the time
  
• Why you judged the risk acceptable or not
  
• What actions you took to reduce exposure
  

If you can, you’re doing the job properly. You aren’t losing sleep at night.

Final Thought: Pressure Reveals the Quality of Preparation

Incidents don’t reward panic,  they reward preparation.

The same is true for third-party risk.

When a breach hits, the CISO who performs best isn’t the one who reacts fastest, it’s the one who already knows:

• Which vendors matter most
  
• Which risks were accepted consciously
  
• Which controls can be relied upon
  
• Which actions will reduce risk now
  

That’s not luck. That’s design, and SAFE can help you with that. 

At SAFE, we are fortunate to have a staff with a wide range of professional experience in addition to cybersecurity – including law enforcement. For another perspective, read this blog post by Josh Fazio, SAFE’s Global VP of the Solution Architects, a former police detective specializing in high-tech crime: The Detective’s Guide to Cyber Risk.