COMMENTARY: Third-party involvement in breaches jumped 60% in a single year, now accounting for 48% of all breaches.A jump of that size no longer makes this risk a peripheral security concern. It’s a resilience problem exacerbated by the fact that, as the vendor’s customer, we have no direct control over it, and it moves faster than traditional vendor-risk processes were ever designed to track.[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]An organization's core capabilities and operational processes are dependent on a range of vendors, including cloud platforms, software providers, and cybersecurity providers. A supplier compromise can have almost immediate downstream repercussions. The 2025 Gainsight incident put things in perspective. A compromised third-party potentially affected more than 200 Salesforce instances, even though the Salesforce platform itself was not breached.This focuses in on the supplier risk problem in a nutshell. Companies inherit vulnerabilities they didn't create, in systems they don't operate, from partners they can't fully audit. Critical dependencies can easily translate into risk. There’s a wide gap between dependency and control. Teams must plug this gap to reduce supply risk.Why traditional assurance falls short
An annual supplier assessment can confirm the security practices, controls, and policies in place at the time of the review. But a supplier that scored well a year ago may now use unauthorized AI tools or operating in a region under new sanctions. Such assessments may also fail to reveal fourth-party relationships, geographic concentration, incident-response readiness, or the existence of a viable alternative. By the time the next supplier review gets conducted, the risk may have already materialized and spread.Three forces compounding the riskTraditional vendor-risk programs assume that a supplier's stability, compliance posture, and risk profile assessed today will remain unchanged for the duration of the contract. But there are three forces that say otherwise.The volatile geopolitical landscape poses a significant supply risk. News around conflicts, tariffs, and sanctions doesn’t surprise us anymore. But these can result in a supplier becoming unavailable, unaffordable, or legally unusable. A once low-risk vendor can change overnight to a liability.AI adoption represents another volatile risk. Suppliers may use AI tools within the governance umbrella, while shadow AI use might also be prevalent. Suppliers may embed AI into their operations through smaller AI vendors that lack the security maturity of larger providers. This raises several risk-related questions. Is customer data feeding into models outside the vendor's control? Is AI-generated code reaching production without proper review? How at risk are our operations if the supplier feeds customer data into an unauthorized AI tool? Every AI tool adopted by the supplier can alter its risk profile in a way that a one-time assessment will not catch.Cybercrime represents another area of concern. The interconnected nature of vendor ecosystems means that one compromised supplier can open the door to dozens of customer environments. The Change Healthcare breach showed how a compromise at one deeply embedded supplier can expose data across an entire sector. Attackers accessed patient information processed on behalf of healthcare providers and insurers, ultimately affecting about 193 million people.None of these forces are new. But together, they can unravel the core assumptions behind most vendor-risk programs, including stability, compliance, and continuity.What executives should prioritize nowResilience does not come from treating every supplier equally. It comes from identifying the relationships that could materially disrupt the busnss and directing attention accordingly. Here are four steps to take:Supplier information often sits across procurement, security, legal and individual business units. A central, cross-functional repository should establish the basic facts, including what each supplier provides, who owns the relationship, and which systems or data it can access.This creates the visibility needed for informed decisions. It does not, by itself, determine which suppliers matter most.Assess the consequences of disruption. Contract value alone is a poor measure of importance. Rank suppliers according to their potential effect on operations, revenue, compliance, and customer service.This ranking in order of importance determines which relationships demand closer scrutiny.Leaders must also dig deeper to understand the dependencies of primary suppliers on subcontractors, cloud platforms, infrastructure providers and operations in regions exposed to geopolitical disruption.Where such dependence exists, the company should establish a secondary provider, alternative process, or tested recovery plan.Contracts and monitoring should reflect the level of business dependence. For critical suppliers, contracts should define incident-notification timelines, response support, regulatory responsibilities, acceptable use of AI and audit rights.Monitoring should then track developments that could change the supplier’s risk profile, including sanctions, ownership changes, financial deterioration, repeated outages or weakening security.A supplier considered stable today may face geopolitical disruption, financial pressure, or declining security investment tomorrow, and that’s why we can’t make a once-a-year assessment the last word. Leaders should instead focus on identifying critical dependencies and prioritizing fast response times for suppliers whose failure would cause the most damage.Steve Durbin, chief executive, Information Security ForumSC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
An annual supplier assessment can confirm the security practices, controls, and policies in place at the time of the review. But a supplier that scored well a year ago may now use unauthorized AI tools or operating in a region under new sanctions. Such assessments may also fail to reveal fourth-party relationships, geographic concentration, incident-response readiness, or the existence of a viable alternative. By the time the next supplier review gets conducted, the risk may have already materialized and spread.Three forces compounding the riskTraditional vendor-risk programs assume that a supplier's stability, compliance posture, and risk profile assessed today will remain unchanged for the duration of the contract. But there are three forces that say otherwise.The volatile geopolitical landscape poses a significant supply risk. News around conflicts, tariffs, and sanctions doesn’t surprise us anymore. But these can result in a supplier becoming unavailable, unaffordable, or legally unusable. A once low-risk vendor can change overnight to a liability.AI adoption represents another volatile risk. Suppliers may use AI tools within the governance umbrella, while shadow AI use might also be prevalent. Suppliers may embed AI into their operations through smaller AI vendors that lack the security maturity of larger providers. This raises several risk-related questions. Is customer data feeding into models outside the vendor's control? Is AI-generated code reaching production without proper review? How at risk are our operations if the supplier feeds customer data into an unauthorized AI tool? Every AI tool adopted by the supplier can alter its risk profile in a way that a one-time assessment will not catch.Cybercrime represents another area of concern. The interconnected nature of vendor ecosystems means that one compromised supplier can open the door to dozens of customer environments. The Change Healthcare breach showed how a compromise at one deeply embedded supplier can expose data across an entire sector. Attackers accessed patient information processed on behalf of healthcare providers and insurers, ultimately affecting about 193 million people.None of these forces are new. But together, they can unravel the core assumptions behind most vendor-risk programs, including stability, compliance, and continuity.What executives should prioritize nowResilience does not come from treating every supplier equally. It comes from identifying the relationships that could materially disrupt the busnss and directing attention accordingly. Here are four steps to take:
- Build a complete view of suppliers.
- Rank suppliers by business impact.
- Map dependencies and concentration.
- Strengthen protection around critical relationships.
