Third-Party Risk Assessment: Why Your Security’s Only as Strong as Your Weakest Vendor

I’ve been doing this security architecture gig long enough to spot the pattern. You spend a fortune building a digital fortress. You patch everything, you train your staff until they’re sick of your voice, and you deploy Zero Trust architectures that would make a bank jealous. You feel good. You feel secure.

Then, inevitably, the phone rings. It’s not your firewall that failed. It’s not your sophisticated intrusion detection system that missed a beat. It’s the bloke who prints your shipping labels, or the survey platform marketing signed up for with a credit card, or the facilities management company that has remote access to your HVAC system. They got popped, and now your data is floating around the darker corners of the internet.

It is absolutely maddening. But it is also the reality of modern business. We need to stop pretending our security perimeter ends at our firewall. In 2025, your perimeter is effectively the security posture of the least competent vendor you’ve granted access to. And if we’re being honest, most organisations haven’t got the foggiest idea who that is.

The Extended Attack Surface Nobody Wants to Own

I was working with a manufacturing client last year—lovely setup, they made bespoke racing helmets. As a motorsport enthusiast, I was in heaven. They had invested millions in internal controls; their factory floor was an air-gapped beauty. But when we started mapping their data flows, the picture got ugly fast.

We found they were piping sensitive customer biometric data—head scans for custom fits—to dozens of suppliers across three continents. Logistics partners, raw material suppliers, 3D printing bureaus. And the kicker? Not one of them had undergone a proper security assessment.

We call this “supply chain risk,” but that sounds too sterile. It’s really “trusting strangers with your crown jewels.” A single vendor with rubbish security practices—like using “password123” on a shared admin account—can undo years of your own hard work.

And let’s not forget the regulators. Between GDPR, DORA (Digital Operational Resilience Act), and the endless stream of US state laws, the legal landscape has shifted. Regulators don’t care that “it was the vendor’s fault.” If you’re the data controller, you’re the one writing the cheque for the fine. I’ve watched companies lose customer trust overnight because of a breach they didn’t cause, but were held responsible for.

Building Something That Actually Works (And Isn’t Just Paperwork)

So, how do you fix this without turning your procurement process into a bureaucratic nightmare? Because I can hear you thinking, “Craig, this sounds like a massive faff.”

You’re not wrong. It is a faff. But it’s a necessary one.

First off, stop treating Third-Party Risk Management (TPRM) as an IT problem. It’s not. It’s a business resilience problem. If you leave this to the tech team, they’ll send out 400-question spreadsheets that nobody reads. You need a squad: Legal to handle the liability clauses, Procurement to enforce the rules before the contract is signed, and Operations to tell you which vendors actually matter.

If you’re looking for a framework, ISO 31000 and NIST SP 800-30 are your bread and butter. But for the love of sanity, don’t just copy-paste them. A financial services firm needs a very different risk model than a healthcare provider or a helmet manufacturer. Adapt it. If you’re a small shop, maybe you don’t need a 50-page assessment for the company that waters the office plants. But you definitely need one for the provider hosting your payroll.

Due Diligence: The “Date Before You Marry” Rule

The biggest mistake I see? Due diligence that stops at a Google search.

Proper vetting is your first line of defence. Before you sign a contract, you need to know who these people are. Have they been breached before? (A surprisingly high number of vendors hide this well). Are they financially stable? A vendor going bust is a security risk—when the money runs out, the patching stops, and the disgruntled employees start looking for data to sell.

You need to ask the hard questions. Do they encrypt data at rest? How do they manage access? Do they even have an incident response plan, or will they just panic when ransomware hits? And don’t just take their word for it. “Yes, we are secure” is not an answer. Evidence is an answer.

And increasingly, you have to look at the ethical side. It sounds a bit woolly, but a vendor with dodgy labour practices or environmental skeletons in the closet is a reputational bomb waiting to go off. If they cut corners on ethics, they’re definitely cutting corners on security.

Risk Scoring: Stop Treating Everyone the Same

Once they’re in, you need to triage. You cannot monitor everyone with the same intensity—you’ll burn out your team in a week.

Tier your vendors. * Tier 1: The critical ones. If they go down, you go down. (Cloud providers, major logistics, payment processors). * Tier 2: Important, but you can survive a week without them. * Tier 3: The folks who supply the office stationery.

Focus your energy on Tier 1. These guys get the deep-dive audits, the penetration test reviews, and the quarterly business reviews. Tier 3 gets a light touch. This isn’t about being lazy; it’s about being effective.

Continuous Monitoring: Because Risk Doesn’t Sleep

Here is the inconvenient truth: a security assessment is a snapshot in time. It tells you that the vendor was secure on Tuesday the 5th of June. It tells you nothing about Wednesday the 6th.

Vendors change. They get acquired by private equity firms who slash budgets. They lose their CISO. They implement a new, buggy API. If you aren’t monitoring continuously, you’re flying blind.

This is where automated tools earn their keep. Use services that monitor the dark web for vendor credentials, or scan their external perimeter for vulnerabilities. Set up alerts for financial distress signals. And crucially, if the lights start flashing red, do something. I’ve seen companies sit on intelligence for months because “switching vendors is too hard.” It’s a lot harder to switch vendors in the middle of a forensic investigation.

Communication: The Bit Everyone Gets Wrong

Please, I beg you, stop sending generic security questionnaires.

When you engage with a vendor on risk, be human about it. Set clear expectations: “Here is our risk appetite. Here is what we need from you to keep this contract.”

If you send a 50-page questionnaire written in legalese, the vendor’s sales guy will just tick “Yes” to everything to get the deal done. Instead, ask for their SOC 2 report, their ISO certificate, or their last pen-test summary. And establish a “Bat-phone” protocol. If they get breached, who do they call? Make sure it’s not a generic info@ email address that nobody checks.

Contracts with Teeth

Your contract is the only stick you have when things go south. If your contract doesn’t explicitly mention security obligations, you have no leverage.

Bake it in. Require them to notify you of a breach within 24 or 48 hours (align this with your GDPR/DORA obligations). Mandate the right to audit. Specify that they must maintain disaster recovery plans. And be clear about the consequences. If their negligence causes a breach, they should be on the hook for the clean-up costs.

Review these contracts. The clause you wrote in 2020 probably doesn’t cover AI data scraping or supply chain ransomware attacks.

The Future: AI and the “Too Hard” Basket

We are seeing a shift. AI is starting to do the heavy lifting on vendor assessments—parsing those boring SOC 2 reports and highlighting the exceptions so you don’t have to read 100 pages of fluff. It’s useful, but it’s not a silver bullet.

Blockchain? People keep trying to make it happen for supply chain transparency. I reckon we’re still a few years off it being practically useful for the average SME. For now, stick to good old-fashioned verification.

The Crux of It

Third-Party Risk Management isn’t about eliminating risk totally. That’s impossible. It’s about not being the low-hanging fruit. It’s about knowing exactly who has your data, why they have it, and what they’re doing to protect it.

Start with your critical vendors. Build the process. Get the Board to understand that “cheapest provider” often means “most expensive data breach.”

It’s not the most glamorous part of security architecture. It’s certainly not as fun as red-teaming or hunting threat actors. But it’s the plumbing that keeps the house from flooding.

Right, I’ve rambled enough. I’m off to find a coffee.