Most security teams spend the bulk of their budget hardening infrastructure they own: their own servers, their own endpoints, their own code. Yet some of the most damaging breaches of the last decade didn’t start inside the victim’s network at all. They started at a third party — an HVAC contractor, a software update server, a payroll processor, a widely-used file transfer tool. The attacker never had to pick the front door lock because a trusted vendor was already holding it open.
That gap between “systems I control” and “systems I depend on” is exactly what vendor risk management (VRM) exists to close. It’s the discipline of understanding, measuring, and reducing the security, privacy, operational, and compliance risk that comes with every external party your organization relies on to function.
Why “Their Problem” Becomes Your Problem
The uncomfortable truth is that outsourcing a function never outsources the risk. When you give a marketing SaaS platform access to your customer database, or let a managed service provider hold administrative credentials to your cloud tenant, you have effectively extended your attack surface to include their security posture — but without any of your usual visibility or control. If they get compromised, the blast radius often lands on you: your data, your customers, your regulatory fines, your name in the news.
Regulators have caught up to this. Frameworks like GDPR, HIPAA, PCI DSS, and the newer DORA regulation in the EU explicitly hold organizations accountable for the third parties that process their data. “We didn’t know our vendor was storing passwords in plaintext” is not a defense that holds up in an audit or a lawsuit.
The Kinds of Risk a Vendor Introduces
Vendor risk is rarely just about hackers. A useful program looks at several distinct categories, because a supplier can be perfectly secure and still sink you in other ways:
- Cybersecurity risk — weak controls that let attackers pivot from the vendor into your environment, or breach the data you’ve shared with them.
- Operational and resilience risk — the vendor goes down, goes bankrupt, or suffers an outage, and a business process you depend on stops working.
- Compliance and legal risk — the vendor’s handling of data violates a regulation you’re bound by, making you liable.
- Concentration risk — too many of your critical functions ride on a single provider (think a single cloud region or one dominant SaaS tool), so one failure cascades.
- Fourth-party risk — your vendor’s vendors. The subprocessors and open-source dependencies buried underneath the service you actually bought.
- Reputational risk — being publicly associated with a partner that mishandles data or behaves unethically.
The last two are where organizations get blindsided. You can vet your direct suppliers rigorously and still be exposed through a subcontractor three layers deep that you’ve never heard of.
Building a Program That Actually Works
A credible VRM program moves a vendor through a repeatable set of stages rather than treating security as a one-time questionnaire at purchase time. The lifecycle usually looks like this:
- Inventory and tiering. You cannot manage what you haven’t catalogd. Start by building a complete list of vendors, then rank them by how much damage they could do — a vendor with access to sensitive data or production systems is “critical,” while the company that services the office coffee machine is not. Tiering lets you spend your limited assessment effort where it matters.
- Due diligence and assessment. Before onboarding, evaluate the vendor’s controls. This is where security questionnaires (often mapped to standards like SIG or CAIS), independent audit reports (SOC 2 Type II, ISO 27001 certificates), and external evidence come together.
- Contractual controls. Bake security into the paper. Require breach notification within a defined window, a right to audit, data handling and deletion obligations, and minimum control standards. A contract is your main lever once the vendor is inside.
- Continuous monitoring. Point-in-time assessments go stale within weeks. Mature programs watch vendors over time — for newly disclosed breaches, expiring certifications, deteriorating external security signals, and changes in the services they provide.
- Offboarding. When the relationship ends, confirm that access is revoked, credentials are rotated, and your data is returned or destroyed. Forgotten vendor accounts are a classic source of lingering exposure.
Verifying Claims Instead of Trusting Them
Questionnaires tell you what a vendor says. It’s often worth corroborating that with outside-in evidence you can gather yourself, without ever touching their systems intrusively. A few lightweight, publicly-observable checks are reasonable during due diligence:
# Check that a vendor enforces modern TLS and isn't serving an expired cert
echo | openssl s_client -connect vendor.example.com:443 -servername vendor.example.com 2>/dev/null \
| openssl x509 -noout -dates -issuer
# Inspect the security headers a public-facing vendor app returns
curl -sI https://app.vendor.example.com | grep -iE 'strict-transport|content-security|x-frame'
# Confirm the domain has anti-spoofing email controls (SPF / DMARC) published
dig +short TXT vendor.example.com | grep -i spf
dig +short TXT _dmarc.vendor.example.comEach of these is passive — you’re only reading public DNS records and connecting to public endpoints the way any user would. A missing DMARC record or a still-supported TLS 1.0 endpoint doesn’t prove the vendor is negligent, but it’s a useful signal that their questionnaire answers deserve a harder look. For a broader external view, teams often supplement this with attack-surface tooling and reputation feeds, but never with unauthorized scanning of a vendor’s private infrastructure — that crosses a legal line.
Learning from How Vendor Breaches Actually Unfold
Real incidents make the abstract concrete. The pattern that repeats is transitive trust being abused. In several high-profile cases, attackers compromised a widely-used piece of software — a build pipeline, a remote monitoring tool, or a file-transfer product — and then rode the vendor’s own trusted update or access channel straight into thousands of downstream customers at once. In others, a single set of stolen vendor credentials, or network access granted to a small contractor, became the beachhead for a much larger intrusion.
The common threads are worth internalizing:
- Attackers deliberately target vendors because they’re a force multiplier: one compromise yields many victims.
- The trust relationship is the vulnerability. Downstream systems accept the vendor’s traffic, updates, or logins by default.
- Detection is hard precisely because the malicious activity arrives through a channel you’ve whitelisted.
This is why the defensive answer isn’t only “assess vendors better.” It’s also to limit the damage a compromised-but-trusted vendor can do: enforce least-privilege access for every third party, segment vendor connections away from your crown jewels, require multi-factor authentication on vendor accounts, scrutinize software updates rather than auto-trusting them, and monitor what your vendors’ integrations are actually doing inside your environment.
The Takeaway
Vendor risk management isn’t a procurement checkbox or an annual questionnaire ritual — it’s the recognition that your real security perimeter includes everyone you’ve chosen to trust. The organizations that do it well treat vendors as a living portfolio: continuously inventoried, tiered by impact, verified with evidence rather than promises, contained by least privilege, and watched over time. You will never fully control a third party’s security, and you don’t have to. What you can control is how much you expose to them, how well you verify their claims, and how quickly you’d notice if their trust were turned against you. In an era where the most efficient path into your network often runs through someone else’s, that discipline is no longer optional.
