COMMENTARY: Two years ago I had never heard of CDK Global. They were a small, niche software provider, but they happen to power most of the more than 15,000 car dealerships around the U.S.The company would have lived on in anonymity as one of the thousands of interconnected businesses comprising a global supply chain of an industry.June 18, 2024 changed all that.[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]On that day, the BlackSuit ransomware group breached CDK Global’s network, forcing its software offline, bringing the car dealership industry to a halt.It caused millions in lost revenue, not to mention headlines and ransomware demands. That’s the day CDK Global leapt onto my (very long) list of examples of why we need to rethink protection of our shared digital infrastructure.Organizations that survive this shift will finally see what’s been hidden. Evolve risk management to match modern supply chain complexity, or remain vulnerable to the hidden dependencies that could halt the organization’s business overnight.Vanessa Jankowski, senior vice president, ecosystem products, BitsightSC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
Every industry has a weak link
Every sector has its small linchpins that can disrupt entire industries if they go down. Think of the digital lending platform that serves more than one-third of global credit unions. A glitch could halt financial transactions worldwide. An outage at a real estate management platform could delay rent and disrupt cash flows for tenants and landlords. Verizon's 2025 Data Breach Investigations Report found that 30% of breaches stem from a third party, double the prior year. The problem has accelerated as organizations increasingly rely on specialized vendors that also depend on niche fourth and fifth-party providers. Digital transformation has created a sprawling ecosystem in which each of hundreds of direct vendors has its own web of dependencies. Yet most security teams focus exclusively on direct vendor relationships, leaving organizations exposed to cascading risks buried deep in their extended supply chains.The third parties of third parties
Every CISO knows the challenge of managing third-party vendor risk: too many vendors, too much paperwork, too many bad outcomes coming across the desk or in the news. And it’s just a fraction of an organization’s actual attack surface. The problem goes far beyond the local footprint, beyond even the third parties' footprints. It's this sprawling, interdependent web of connections that most organizations are still trying to manage with... questionnaires! Which means most teams are missing the bulk of the iceberg.This network of fourth-, fifth-, and sixth-party dependencies remains completely invisible to traditional risk management approaches. Most companies have no contracts with these companies, no view into their security practices, and no leverage to demand improvements.Yet, a vulnerability in any one of them could shut the organization down. When the cloud provider's data center relies on a compromised HVAC system, or the payment processor depends on a vulnerable file transfer tool, those hidden relationships become the company’s problem – a problem that won’t surface until something breaks.Traditional risk management relies on point-in-time assessments that assume static risk. Threat actor activity changes minute-by-minute while organizations work with questionnaires that are weeks, months, or even years old. If the company relies on a questionnaire view, it’s missing most of the third- and fourth-party risk.Third-party risk teams universally lack sufficient resources: not enough people, budget, or time to manage increasing vendors, cyber risks, and regulations. This results in widespread fatigue and skepticism about whether enormous efforts produce meaningful improvements and questions about whether new technology can pave the way to a better approach.AI to the rescue?
Both a blessing and a curse, the organizations that are truly leveraging AI are unlocking a world of possibility to monitor, manage, and protect the supply chain that was unthinkable even a few years ago.Here are some very tangible, practical steps for risk and security leaders to take:- Conduct continuous assessments: AI can solve the challenges of speed and scale. It’s no longer excusable to have gaps in which vendors the team monitors, or delays in how often the team assesses third-party vulnerabilities. Extend the program to the company’s entire portfolio. Move from periodic assessments to continuous, real-time monitoring of third, fourth, and nth parties.
- Run the wiring to understand which vendors are important: Understand which vendor assets the business relies on and how far those dependencies cascade through the supply chain. Map what matters most to operations, align that understanding with current exposure data, then work with company operations teams to treat the most critical connections accordingly.
- Prioritize intelligently: Focus resources on vendors with unresolved high-severity vulnerabilities affecting critical assets the company relies on. This requires combining multiple intelligence sources -- vulnerability databases, threat feeds, security ratings, and incident reports -- to build a comprehensive view of where active risks are materializing across the vendor ecosystem.
- Use frameworks, but make them dynamic: Lean into security frameworks, but modernize them with real-time insights. They serve as the critical bridge connecting the operational mandate of protection with the governance charter of compliance. But those frameworks need to work in an era of AI. Get everyone on the same page by making them shared, adaptive, and threat informed.
