In just about every job I've done, at some time I've been responsible for the assessment and assurance of third parties / suppliers / (data) processors. I often feel that as an information security and data protection community we do a great job when it comes to this as a compliance activity (especially when it comes to completing spreadsheets) but we fail to actually manage the risk.
A few years ago I worked on a theory that every supplier and third party has different behaviours, abilities and knowledge. By developing a personality profile for each third party (think Myers-Briggs® for suppliers) it should be possible to provide more effective information security and data protection assurance programs for your organisation.
I gave this session at the San Francisco RSA Conference 2018 which describes eight typical supplier 'personalities' and how to adapt your assurance strategy based on each personality. It should help you develop your assurance programmes to spend time (and money) where the risk is.