FinanceCybersecuritySupply ChainLegal

Trust Your Vendors, Do You?

SANS Institute
SANS InstituteApr 24, 2026

Why It Matters

Effective third‑party risk management is critical to prevent costly breaches, meet tightening regulations, and preserve customer trust in an increasingly interconnected digital economy.

Key Takeaways

  • Vendor ecosystems expand attack surface, driving third‑party breach surge.
  • 77% of recent breaches trace back to vendor vulnerabilities.
  • High‑privilege vendors like MSP tools amplify risk across multiple clients.
  • Regulations (GDPR, NIS2, DORA) mandate robust third‑party risk programs.
  • Static questionnaires insufficient; need continuous, automated vendor security monitoring.

Summary

The webcast hosted by veteran CISO Yan focused on the escalating challenge of third‑party risk management in today’s hyper‑connected enterprises. He outlined how reliance on thousands of external vendors expands the attack surface and why organizations must rethink traditional oversight.

Yan cited striking data: 55% of firms reported a breach over three years, rising to 70% this year, and 77% of incidents originated from a vendor. Reports from industry analysts show third‑party vectors account for 35.5% of breaches and 41% of ransomware attacks, with average remediation costs near $4.8 million.

Real‑world cases underscored the threat. The 2020 SolarWinds supply‑chain hack injected malicious code via a legitimate update, compromising countless Fortune 500 companies. A later attack on the VSA remote‑management tool gave ransomware gangs access to hundreds of MSP customers. Yan also highlighted regulatory pressure from GDPR, NIS 2 and the EU’s DORA, which now require formal supply‑chain security assessments and incident reporting.

The speaker warned that static questionnaires are no longer adequate. He advocated continuous, automated monitoring, risk‑scoring and tighter controls on high‑privilege vendors. Aligning TPRM programs with emerging regulations is not just compliance—it is essential for protecting brand reputation, avoiding multi‑million‑dollar penalties, and sustaining business continuity.

Original Description

Organizations increasingly depend on vast ecosystems of third party vendors, expanding their operational capacity—but also their attack surface and risk exposure. This talk challenges trust by-default approaches to vendor relationships and makes the case for a modern, third party risk management (TPRM) program. We begin by framing why vendor risk matters, examine real world breach case studies to illustrate how upstream dependencies and fourth party links can amplify impact. The session will highlight regulatory drivers—NIS2, DORA, and GDPR—and translates them into practical expectations for supply chain security, continuous oversight, and incident reporting. We analyze limitations of traditional questionnaires (SIG/CAIQ), which are static, self reported, and often out of date, and propose a continuous TPRM lifecycle: risk based vendor tiering, due diligence proportional to criticality, automated external posture monitoring, corrective action tracking, and secure off boarding.
Participants will leave with actionable items to embed TPRM into procurement, legal, and IT workflows; strategies to require flow down security in subcontractor chains; and pragmatic steps to start small, demonstrate value, and scale. Resulting in a repeatable approach that strengthens resilience, improves compliance, and replaces blind trust with verifiable assurance.
Learning Objectives
- Understand and prioritize risk: Explain how third and fourth party ecosystems expand the attack surface and regulatory exposure (NIS2, DORA, GDPR), and map key dependencies to prioritize vendor risks.
- Implement a continuous TPRM lifecycle: Apply risk based tiering, evidence based due diligence, automated monitoring, corrective action tracking, and secure off boarding—embedded in procurement and legal workflows.
This session supports concepts from LDR512: Security Leadership Essentials for Managers. To learn more about this course and explore upcoming sessions, https://go.sans.org/fqnpkP
#TPRM #SecurityLeadership #Vendor #CISO

Comments

Want to join the conversation?

Loading comments...