In 2023, the MOVEit Transfer breach cascaded through thousands of organizations—not because their own defenses failed, but because a single vendor's vulnerability became everyone's problem. If you're an IT Security Administrator responsible for managing vendor relationships, the uncomfortable truth is that your attack surface extends far beyond your own infrastructure. Let's break down how to systematically evaluate and monitor third-party risk before it becomes your next incident report.
Why Third-Party Risk Deserves Its Own Program
Most enterprise environments depend on dozens, sometimes hundreds, of third-party vendors—SaaS platforms, managed service providers, cloud hosting, payroll processors, and more. Each one represents a potential ingress point. According to Gartner, 60% of organizations work with over 1,000 third parties, yet fewer than half have a formal vendor risk assessment program.
The challenge isn't just identifying vendors. It's continuously evaluating their security posture and enforcing accountability. A signed BAA or SOC 2 report from two years ago doesn't tell you whether a vendor patched Log4Shell.
Building a Vendor Risk Assessment Workflow
A practical assessment framework includes four phases: discovery, evaluation, contractual enforcement, and continuous monitoring.
1. Discovery: Know Your Vendor Landscape
You can't assess what you don't know about. Start by auditing DNS, firewall logs, and SSO integrations to identify shadow IT and unauthorized SaaS usage.
# Extract unique external domains from proxy logs (Squid example)
awk '{print $7}' /var/log/squid/access.log | \
sed 's|https\?://||;s|/.*||' | sort -u > external_domains.txt
# Cross-reference against your approved vendor list
comm -23 <(sort external_domains.txt) <(sort approved_vendors.txt) > unapproved_vendors.txtThis gives you a starting list of unapproved third parties that your users are actively communicating with.
2. Evaluation: Assess Security Posture
For each vendor, perform both passive and active assessments. Passive reconnaissance with tools like nmap and SSL Labs can reveal a surprising amount about a vendor's hygiene.
# Check a vendor's TLS configuration
nmap --script ssl-enum-ciphers -p 443 vendor-portal.example.com
# Query SSL Labs API for a grade (useful for bulk assessment)
curl -s "https://api.ssllabs.com/api/v3/analyze?host=vendor-portal.example.com&publish=off" | \
jq '.endpoints[0].grade'Combine technical findings with a standardized questionnaire. The SIG (Standardized Information Gathering) questionnaire from Shared Assessments or the CAIQ (Consensus Assessments Initiative Questionnaire) from the Cloud Security Alliance are industry-tested starting points. Weight your questions based on data sensitivity—a vendor processing PHI warrants far deeper scrutiny than one providing office supplies.
3. Contractual Enforcement: Make Security a Requirement
Technical controls mean nothing without contractual teeth. Ensure vendor agreements include:
- Right-to-audit clauses allowing you to perform or commission security assessments
- Breach notification timelines (72 hours or less)
- Data handling and destruction requirements aligned with your classification policy
- Minimum security standards (e.g., encryption at rest using AES-256, MFA for administrative access)
Don't accept vague language. Replace "industry-standard encryption" with specific cipher suites and protocols.
4. Continuous Monitoring: Trust but Verify
Point-in-time assessments decay quickly. Implement ongoing monitoring using tools like SecurityScorecard, BitSight, or open-source alternatives. You can also automate certificate and domain monitoring:
# Monitor vendor SSL certificate expiration with a cron job
echo | openssl s_client -connect vendor-portal.example.com:443 -servername vendor-portal.example.com 2>/dev/null | \
openssl x509 -noout -enddate
# Output: notAfter=Mar 15 12:00:00 2025 GMTFeed vendor risk scores into your SIEM. If a critical vendor's score drops below your threshold, trigger an automated review workflow.
Integrating with Your Broader Security Program
Vendor risk doesn't live in a vacuum. Map each vendor to the data assets and systems they touch using your CMDB. Assign risk tiers—critical, high, medium, low—and calibrate assessment frequency accordingly. Critical vendors should face annual penetration testing reviews and quarterly posture checks.
Final Thought
Third-party risk management is not a checkbox exercise—it's an ongoing operational discipline. The vendors you trust with your data become extensions of your attack surface. Treat them that way. Start with visibility, enforce standards contractually, and never stop monitoring. The next supply-chain breach is a matter of when, not if—and your preparation today determines whether you're the responder or the headline.
Have questions about third-party risk and vendor security assessment? I'm always happy to talk shop — reach out or connect with me on LinkedIn.