You're only as secure as the least secure organization you trust.
Geoff Hancock CISO CISSP, CISA, CEH, CRISC
As a CISO (multiple times) and CEO I help business and technology executives enhance their leadership, master cyber operations, and bridge cybersecurity with business strategy.
Trust is not a control.
We place too much blind trust in our vendors. Just because a partner is significant or well-known doesn't mean their internal security is where it needs to be. Assuming someone else's security is strong just because they're a "name brand" is a gamble and costly.
Your attack surface doesn't stop at your firewall.
Most companies have zero visibility beyond their Tier 1 suppliers. That's dangerous. The absolute risk might lie with a Tier 3 subcontractor you've never heard of but who indirectly touches your data, infrastructure, or code. In cyber, what you don't see is what hurts you. You can't manage what you don't map.
Software supply chains are the new soft target.
One of the most overlooked areas?
Third-party code.
Open-source libraries, SaaS plugins, and APIs are the invisible arteries of our tech stacks. While they help us move fast, they expose us to risks we can't always control. I've seen companies compromised by a tiny third-party script that hadn't been updated in two years.
Access without accountability is a breach waiting to happen.
Vendors often retain access long after their engagement ends, and that's a huge problem. Dormant service accounts, unused credentials, and over-permissioned identities are the digital equivalent of lost keys to the building. I always tell my teams: if you don't know who has access, assume it's everyone.
Contracts should protect more than just the bottom line.
When was the last time your procurement or legal team negotiated security terms? I've reviewed contracts with no language around incident response, breach notification, or security performance. That's a liability. Every agreement should spell out expectations for cybersecurity, not just service delivery.
The subsequent breach won't be your fault, but it will be your responsibility.
Attackers know that supply chains are the low-hanging fruit. It's easier to exploit a vendor than breach a hardened enterprise. And once they're in through your supplier, you're the one on the headlines, not them. Supply chain security is no longer a checkbox. It's a board-level concern.
Three Things You Can Do This Week
1. Reassess Vendor Risk Don't Just Rank by Spend
Create a risk-based vendor inventory that maps out who has access to what and how deeply integrated they are. Don't assume your most significant spend is your most important risk. The most considerable spending is often the ones flying under the radar.
2. Clean Up Access Because Entitlements Are Silent Threats
Review all third-party credentials. Remove any that are stale, unused, or unnecessary. Implement least privilege and consider just-in-time access for vendors. If they don't need access daily, they shouldn't have it daily.
3. Lock in Cyber Clauses Make Security Part of the Deal
Work with legal and procurement to standardize cybersecurity expectations in your contracts. Include audit rights, response time requirements, and consequences for negligence. If they support your operations, they must also support your security posture.
FAQ
1. How do I effectively evaluate a vendor's security posture beyond just questionnaires or certifications?
Start by treating vendor assessments as more than a checkbox exercise. While SOC 2 reports and ISO 27001 certifications are helpful, they only show a snapshot in time. Go further by:
This shows how a vendor thinks not just how they document.
2. What tools or processes can help me gain visibility into Tier 2 and 3 suppliers?
Start by mapping your digital and operational dependencies. Your Tier 1 vendors likely rely on their own suppliers. Ask them to disclose key dependencies when they affect your data, service uptime, or compliance posture.
Here's how to increase visibility:
Even a rough sketch of these relationships is better than operating blind.
3. How can I track and manage third-party software dependencies in a scalable way?
You can't secure what you don't know so start with visibility:
This must be part of secure DevOps, not just an annual review.
4. What kind of cyber clauses should be included in vendor contracts—and how can I get legal to agree to them?
Legal and procurement often focus on cost and delivery timelines, but security terms protect your reputation and compliance posture. Here are essential clauses to include:
To get legal on board, frame it in business terms: risk reduction, liability limitation, and alignment with your own customer commitments. Supply them with templated language vetted by security and legal peers (NIST, CISA, and ISACA offer samples).
5. How do I operationalize a risk-based vendor inventory? What does that look like in practice?
Here's a simple 4-step approach to building and maintaining a risk-based vendor inventory:
Inventory all third-party vendors: Pull from procurement, finance, and IT tools. Include software, services, cloud platforms, and anything interacting with your network or data.
Tag each vendor by impact level: Use categories like:
Assign a risk level based on:
Automate alerts and reviews:
Use a GRC tool or a simple dashboard (e.g., ServiceNow, Excel + Power BI, or RiskRecon) to trigger reviews when a vendor's risk level changes.
This turns "vendor risk" from a static spreadsheet into a living security function.
Owner @BARE Cybersecurity | Startup Fractional CISO | vCISO | SME | Co-Founder @BARE ALLIANCE, CTO | IT Compliance or security pains? Contact me.
3moLove this, Geoff. Most customers still don't understand the extent of the risk. We should do our part to make sure they do.