The consensus within the Executive Security Action Forum (ESAF) community of chief information security officers (CISOs) is that traditional third-party risk management in information security is ineffective. The need for change is growing more urgent as attackers increasingly target third parties.