How AI is the Key Turning Point in TPRM with Paul Valente
Insights from Paul Valente, CEO & Co-Founder of VISO TRUST
At RSA Conference 2024, one theme echoed across every conversation:Â AI is reshaping everything. But beyond the hype, thereâs a quieter revolution happening in cybersecurity – one that could fundamentally change how organizations manage risk.
That turning point? Artificial intelligence in Third-Party Risk Management (TPRM).
In a recent conversation with Paul Valente, former CISO and now CCO of VISO TRUST, we explored how AI is transforming one of cybersecurityâs most persistent challenges.
From CISO to CEO: A Natural Evolution
Before founding VISO TRUST, Paul Valente spent over 25 years in cybersecurity, including leadership roles at companies like LendingClub, Restoration Hardware, and ASAPP.
So what exactly does a CISO do?
In Paulâs words:
âThe CISO is essentially the CFO of security, responsible for everything related to protecting the organization.â
But over time, his role evolved beyond technology.
Modern CISOs:
- Translate security into business value
- Align risk with organizational strategy
- Communicate across executive teams
That shift, from technical expert to business leader, ultimately led Paul to a bigger realization: some problems are too large to solve within a single company.
The Breaking Point: Why TPRM Needed Reinvention
Third-party risk management has been around for years, but itâs long been broken.
Organizations depend on vendors for everything, from cloud infrastructure to AI tools, but understanding the risk those vendors introduce has historically been:
- Slow
- Manual
- Incomplete
- Highly subjective
Traditional approaches fall short:
- Questionnaires: biased, self-reported answers
- Security ratings:Â surface-level insights (e.g., public-facing data)
- Manual reviews:Â donât scale
Meanwhile, companies now manage hundreds or thousands of vendors.
The result?
TPRM became a top concern for CISOs, but one they often couldnât act on effectively.
Why AI Changes Everything
This is where AI becomes the turning point.
TPRM is fundamentally an information problem:
- Security evidence is scattered across documents
- Reports, policies, audits, and test results are unstructured
- Analyzing them requires deep expertise and time
Historically, this made large-scale analysis nearly impossible.
But AI, especially natural language processing and machine learning, changes that.
What AI Enables in TPRM:
- Automated analysis of security artifacts
- Interpretation of policies, audits, and reports
- Scalable vendor assessments across thousands of companies
- Faster, more accurate risk insights
As Paul puts it:
âAI is the key to unlocking the information thatâs always been there, but impossible to process at scale.â
From Bottleneck to Business Enabler
Traditionally, security teams were seen as blockers, often labeled the âDepartment of No.â
AI-driven TPRM flips that narrative.
Instead of slowing decisions down, organizations can now:
- Evaluate vendors earlier in the buying process
- Make risk-informed decisions during RFPs
- Continuously monitor vendor ecosystems
- Reduce reliance on manual reviews
This shift is powerful.
Security becomes:
- Faster
- More proactive
- Aligned with business goals
A New Use Case: Smarter Vendor Decisions
One unexpected benefit?
Companies are using TPRM not just to approve vendors, but to eliminate them.
For example, organizations can:
- Identify redundant tools
- Compare vendors based on risk
- Decide which platforms to keep or remove
In one case, a company used TPRM insights to reduce its vendor footprint, keeping only the most secure and valuable partners.
The Rise of AI Risk Itself
Thereâs another layer to this transformation.
As companies rapidly adopt AI tools, theyâre introducing new categories of third-party risk, including:
- Data privacy concerns
- Model training exposure
- Lack of transparency in AI systems
This creates a dual challenge:
- Use AI to manage risk
- Manage the risks introduced by AI itself
Modern TPRM platforms are now evolving to assess AI trust, not just traditional security posture.
The Bigger Trend: AI Is Becoming Accessible to Everyone
One of Paulâs most compelling insights is how AI adoption mirrors the evolution of databases.
âTen years ago, databases were for DBAs. Today, every developer uses them. AI is following the same path.â
Weâre entering a world where:
- You donât need to be an AI expert to use AI
- Engineers, analysts, and security teams can all leverage it
- The barrier to entry is rapidly disappearing
Where to Start
For those looking to explore AI in cybersecurity or TPRM:
- Start experimenting with AI tools
- Learn how models interpret language and data
- Explore real-world use cases like vendor risk analysis
- Focus on practical application, not just theory
âJust get started. Anyone can become an intelligent AI user today.â
Final Thoughts
AI isnât just another tool in cybersecurity; itâs a force multiplier.
In third-party risk management, it solves a problem that has existed for decades:
too much data, not enough capacity to analyze it.
Now, for the first time, organizations can:
- Scale risk assessments
- Improve accuracy
- Move faster without sacrificing security
And perhaps most importantly: Security teams can finally move from being reactive gatekeepers to strategic business enablers.
