The Cyber Risk Podcast with Meta’s Michael Johnson on 100% Automation in Third-Party Risk Management

How to solve the three big challenges of the TPRM analyst

By Sweta Bhattacharya

In Episode 4 of The SAFE Cyber Risk Podcast, host Saket Bajoria, Chief Product Officer at SAFE, dissects an urgent challenge for enterprises: Third Party Risk Management. Our guest in this episode is Michael Johnson, CISO at Meta Financial Technologies, former CISO at Capitol One and CIO at the US Department of Energy. 

Third-Party Risk Management (TPRM) has long been a challenge for enterprises, but with the explosion of SaaS tools and applications, we’re seeing a whole new dimension of attack surface expansion. This shift has placed a magnifying glass on how organizations are managing third-party risks.

Michael says it straightaway: “It’s about managing ‘actual’ risk.” Most importantly, you have to “do the ‘risk’ math.” But “Most companies don’t do it right and don’t do it continuously.”

Experience SAFE’s 100% autonomous third-party risk management solution:

• Test Drive SAFE TPRM
• Watch SAFE TPRM in Action

Top 7 Takeaways from Episode 4 with Michael Johnson

1. Understand what Third-Party Risk Management Really Means

A 2025 report by the World Economic Forum called out third-party risk as “the biggest barrier to achieving cyber resilience.” Michael makes a strong case that organizations must move beyond activity-based mindsets. The focus should be on:

• Understanding the capability and intent of threat actors
• Gaining deep visibility into the vulnerability landscape
• Evaluating the effectiveness of existing controls
• Mapping the business consequences of vendor failure

As he highlights, it’s not about the volume of effort—it’s about the accuracy of understanding.

2. Continuous Third-Party Risk Monitoring Is a Regulatory Requirement

Whether you’re in finance, healthcare, tech, or retail, continuous third-party risk monitoring isn’t just a good idea—it’s the law. From NYDFS Part 500 to the NIS2 Directive and PCI DSS, regulators expect organizations to treat vendor risk as a living, breathing exposure.

However, Michael cautions: “TPRM has become a check-the-box exercise. Most companies that have third-party security risk management are not managing actual risk.” And this includes companies that lean too heavily on security rating services (SRS), which he points out “obviously fall short” and are “just completely insufficient.”

The real risk lies in mistaking visibility for control.

3. The Importance of a Rock-Solid Contract

A critical piece of effective TPRM lies in how contracts are written. For continuous monitoring to work, contracts must allow for both outside-in scans and inside-out reporting. Michael emphasizes that attestations need to be dynamic, not static.

Strong vendor contracts should include:

• Real-time re-assessment of security attestations
• Notification and restitution processes in the event of a breach
• Rights to perform Root Cause Analysis (RCA) post-incident
• Explicit evidence requirements for vendors during onboarding

As Michael notes: “Automating this part would be huge – it would be a game-changer.” But automation is only possible if these requirements are clearly embedded in the contract from day one.

4. Solve the Three Biggest TPRM Analyst Challenges

In many large organizations, TPRM teams are tasked with managing thousands of vendors—sometimes with fewer than 20 people on the team. Michael estimates team sizes range from 12 to 65 employees managing 2,000 to 10,000 vendors.

In this kind of environment, it’s impossible to scale using manual processes. Michael outlines the three biggest pain points that analysts face:

• Reconciling data across systems
• Chasing vendors for status updates and documentation
• Communicating risk posture back to the business

“In a traditional world,” he explains, “it takes days and days, from weeks to months to onboard a new vendor.” This bottleneck slows innovation and burdens security teams. 

Automation should be directed precisely where it delivers the most impact—on the work that consumes the most time.

5. Communicating the Entire Third-Party Risk Landscape

A mature TPRM program is not just about managing vendor security—it’s about integrating third-party risk into the broader enterprise risk ecosystem.

Michael recommends:

• Understanding the enterprise’s full attack surface
• Classifying vendors into tiers of risk (Tier 1, 2, 3, etc.)
• Monitoring for contractual drift and violations
• Ensuring real-time attestation visibility
• Visualizing third-party exposure within enterprise-wide risk posture

A vendor is not a side issue—it’s an extension of your business. And failing to track their risk posture is no different from ignoring your own.

6. Re-imagining Third Party Risk Management

Michael lays it out clearly: “It needs to be continuous, intelligent, real-time, automated, work at scale, and actually manage risk by being effective.” While today’s TPRM workflows may check a few of these boxes, most fall short of covering all.

To meet the needs of modern enterprises, TPRM must evolve from siloed assessments to fully integrated, AI-enabled workflows. That requires automating not just the repetitive work, but rethinking the end-to-end process with scale, agility, and accuracy in mind.

As Michael notes, simply automating pen-pushing won’t cut it.

7. AI-Driven Third Party Risk Management

Looking to the future, Michael is optimistic about the potential of AI—but only when it’s used responsibly. Michael mentions he’s a big fan of “companies leveraging reputable open source models to build TPRM solutions that are automated.”

But it doesn’t stop there. AI-driven TPRM must be built on secure and ethical foundations, with:

• Rigorous security architecture and safeguards
• Robust data access controls
• Strong privacy and compliance frameworks

Automation alone doesn’t reduce risk—but intelligent, transparent, and well-architected automation does.

As Michael emphasizes, true transformation comes from moving beyond checklists to real, continuous risk management at scale. With the right architecture, automation, and AI-driven intelligence, TPRM can finally deliver on its promise: resilience without friction. Watch the full episode for more insights.

SAFE’s 100% Autonomous TPRM is about freeing your teams from spreadsheets and follow-ups, so they can focus on strategic risk decisions. To learn how SAFE TPRM enables 100% automation in your third-party risk management program, test drive it yourself!