The Expanding Vendor Ecosystem: Opportunities and Risks
The increasing reliance on third-party vendors for critical services, from cloud storage to data management and security, has unfortunately coincided with a surge in supply chain attacks. The number of reported software supply chain attacks in the US in 2024 was significantly higher than in 2023, with 296,688 individuals and organizations impacted. This evolving threat landscape has made it increasingly complex for organizations that rely on third-party vendors to maintain a good security posture.
According to Cassie Crossley, VP, Supply Chain Security at Schneider Electric and David London, Managing Director at Chertoff Group, there are opportunities and risks within this growing vendor ecosystem.
Opportunities
Vendors offer access to cutting-edge technologies, specialized capabilities, and deep expertise. They can also provide faster market times, increased flexibility, and greater accountability. Furthermore, advanced technologies like AI offer organizations powerful new tools to mitigate potential supply chain risks.
Crossley explained that there are new risk management services leveraging AI and agentic AI—agent-based AI tools—to quickly identify and analyze open source intelligence. These tools evaluate results, answers, and historical data in minutes--tasks that previously took humans significantly more time to complete. As Crossley noted, most information regarding supply chain and vendor security is unstructured data. AI enables organizations to train the system to surface the most relevant content for decision-makers regarding their products, allowing them to quickly assess this unstructured data.
London pointed out that the growing regulatory burden surrounding supply chain risk and visibility presents both opportunities and risks. On the positive side, “Organizations are compelled to pay close attention to their supply chains—not only from a security and resilience standpoint but also from a compliance perspective. This can create new expenditures, but it also reduces risk,” London stated.
The expansion of the vendor ecosystem, while presenting inherent risks, also offers organizations significant opportunities to leverage specialized expertise and cutting-edge technologies. By embracing innovative solutions like AI and prioritizing supply chain visibility, organizations can navigate this complex landscape.
Risks
London explained that the downside of the growing regulatory expectations is that organizations face regulations that become burdensome and not necessarily aligned with actual risks. This can lead to wasted resources and a false sense of security. Where government and the private sector can coalesce around common sense standards, risk-informed regulations are more likely.
Increased visibility into the tools and products organizations use is another challenge. For example, Crossley stated that the likelihood of someone knowing who uses a vendor such as CrowdStrike today is higher than it was years ago. Previously, this information wasn't readily available, but now, reports, research articles, press releases, job postings, and data breach disclosures provide insight into the landscape.
Additional information is gathered using numerous scanning tools, making it easy to identify prevalent open source software within exposed platforms. As soon as a new CVE (Common Vulnerabilities and Exposures) is released for a vulnerability, threat actors use that data to develop attack vectors. Therefore, keeping up with threat actors, who leverage and exploit open source software to attack supply chains and vendors, is a significant challenge.
Identifying Common Vendor-Related Security Gaps
Organizations' dependence on vendors has increased significantly, as London noted. This is due to consolidation within the vendor ecosystem and a corresponding reliance on that ecosystem. A ransomware attack or data breach affecting a third, fourth, or even fifth-tier vendor can trigger a cascading cyberattack, impacting the primary organization. Because supply chain security is multi-faceted, “Organizations should consider their supply chain risk across physical, enterprise, and product/software environments,” London stated.
Another significant vendor security gap is the disparity between suppliers who have both Information Security and product security programs and those who do not. This difference is drastic, “Especially if the supplier is not an enterprise-sized company and doesn't have the cybersecurity resources dedicated to the products or services they're supplying,” Crossley noted.
Below highlights a few more vendor gaps:
Lack of Visibility: Visibility into a third-party supplier's security practices is limited by the contract. This lack of visibility worsens with fourth and fifth-tier vendors. For example, if a contract only requires a supplier to report their detected risks, but not risks identified by their suppliers, the organization's visibility is severely limited.
Inadequate Due Diligence: Some organizations may not assess a vendor and their security posture before onboarding them as a supplier. This lack of due diligence is a significant security gap. Before bringing any vendor onboard, organizations should assess their security posture. Consider if the vendor meets criteria such as ISO 27001 or SOC2 compliance. Failing to properly vet vendors leave organizations vulnerable to security risks introduced by the vendor's potentially weak security practices.
Lack of Contractual Security Requirements: A major vendor security gap is the lack of robust contractual security requirements. Since organizations often lack visibility into their suppliers' supply chains, meaning they're unaware of the security practices of these downstream vendors. “Contracts must include clauses ensuring transparency into these relationships," Crossley stated. While organizations are increasingly adding data security and cybersecurity addendums to new contracts, a challenge remains with legacy vendors who haven't signed on to these updated terms. “This backlog creates a significant vulnerability for organizations that lack the resources to update all existing contracts,” London noted.
Building a Secure Supply Chain Through Vendor Management
Rinki Sethi, VP & CISO at BILL, along with other panelists, discussed building a secure supply chain in an RSAC 2023 virtual seminar. Sethi emphasized the need for a comprehensive vendor management program encompassing a risk assessment framework, a regularly updated data map of all third-party vendors, and adherence to industry standards. Effective onboarding/offboarding processes are crucial for ensuring data protection even when suppliers change. A holistic business continuity plan must consider third-party risks and compliance with relevant regulations.
In a RSAC 2023 podcast, Matthew Titcombe, CEO at Peak InfoSec, explained that the cybersecurity maturity model certification (CMMC), such as one based on NIST SP 800-171 (the federal government's security control framework for protecting intellectual property), can validate a vendor's security posture. Organizations should follow NIST ‘s Cybersecurity Supply Chain Risk Management for more information on how to protect their supply chain.
Additionally, in a RSAC 2023 podcast, Diana Kelley, CISO at Protect AI, also noted that “While trusting and verifying vendors is important, organizations must also have their own backup and recovery plans in case a third-party vendor experiences downtime.” Organizations should also implement Zero Trust and have good, detailed contracts not only with their direct suppliers but also with their fourth- and fifth-tier suppliers.
Echoing Crossley's concern, “If cybersecurity is so vital to the supplier process, organizations must dedicate resources to understanding their suppliers' security hygiene.” Organizations with strong internal security postures but lacking insight into their suppliers' practices need to start asking questions now.
To read more on how to protect your company from supply chain attacks, download NRF’s report, provided by London and visit our library.