At this point some 79% of organizations have a formal TPRM program, with a median of at least two full-time employees. But few of them are actually doing much to work with their vendors to bolster the security of these third-party IT environments. A slim 14% of these professionals are highly confident that their vendors are performing security requirements. The average age of these programs is now five to six years, and the average age is now 5 to 6 years. The good news is that the forces at play are following a maturity playbook that most cybersecurity and risk professionals know.
Source: https://www.helpnetsecurity.com/2021/02/24/tprm-third-party-risk-management-programs/