{"id":15515,"date":"2026-01-21T07:08:14","date_gmt":"2026-01-21T07:08:14","guid":{"rendered":"https:\/\/newestek.com\/?p=15515"},"modified":"2026-01-21T07:08:14","modified_gmt":"2026-01-21T07:08:14","slug":"13-cyber-questions-to-better-vet-it-vendors-and-reduce-third-party-risk","status":"publish","type":"post","link":"https:\/\/newestek.com\/?p=15515","title":{"rendered":"13 cyber questions to better vet IT vendors and reduce third-party risk"},"content":{"rendered":"<div>\n<div id=\"remove_no_follow\">\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<section class=\"wp-block-bigbite-multi-title\">\n<div class=\"container\"><\/div>\n<\/section>\n<p>Increased reliance on IT service providers, digital tools, and third-party software is greatly expanding the enterprise attack surface, with noteworthy cyberattacks over the past year underscoring this fact.\u00a0<\/p>\n<p>In October 2025, Marks &amp; Spencer terminated its longtime helpdesk deal with outsourcing giant Tata Consultancy Services following a cyberattack that cost the British retailer<strong> <\/strong>an estimated <a href=\"https:\/\/www.csoonline.com\/article\/3986579\/aggressive-creative-hackers-behind-uk-breaches-now-eyeing-us-retailers.html\">\u00a3300 million and temporarily shut down its online business.<\/a><\/p>\n<p>In August, a Chinese threat group leveraged <a href=\"https:\/\/www.csoonline.com\/article\/4053891\/what-the-salesloft-drift-breaches-reveal-about-4th-party-risk.html\">compromised OAuth tokens<\/a> from third-party platform Salesloft Drift to exfiltrate sensitive business data\u00a0\u2014 AWS keys, Snowflake tokens, passwords \u2014 from as many as 700 organizations. This came on the heels of a wave of attacks in which cybercriminal gang ShinyHunters <a href=\"https:\/\/www.csoonline.com\/article\/4035701\/we-too-were-breached-says-google-months-after-revealing-salesforce-attacks.html\">pretended to be IT support personnel<\/a> to trick users into connecting to malicious versions of Salesforce\u2019s Data Loader, which was then used to exfiltrate data from Salesforce environments. All told, <a href=\"https:\/\/www.csoonline.com\/article\/4067846\/extortion-gang-opens-data-leak-site-to-squeeze-victims-of-its-salesforce-attacks.html\">1.5 billion Salesforce records<\/a> were claimed to have been stolen.<\/p>\n<p>And, back in April, a critical <a href=\"https:\/\/www.csoonline.com\/article\/3971211\/sap-netweaver-customers-urged-to-deploy-patch-for-critical-zero-day-vulnerability.html\">zero-day vulnerability<\/a> in SAP NetWeaver, one of the most widespread incidents involving an ERP platform, illustrated that enterprise software has become a prime target for attackers because their compromise directly impacts the revenue, operations, and reputation of an organization.<\/p>\n<p>\u201cAdversaries continue to exploit the path of least resistance, increasingly targeting third-party providers and human vulnerabilities to bypass technical controls,\u201d says Casey Corcoran, field CISO at Stratascale, the cybersecurity division of SHI International. \u201cBy compromising trusted vendors, attackers can move undetected for longer periods, exploiting established access points across multiple organizations.\u201d<\/p>\n<p>Because these are newer avenues for attack, companies have been caught on their heels. \u201cWe don\u2019t have enough preparation or defensive tools to rapidly detect and defend against these attacks, leading to a significant level of risk for lots of companies,\u201d says <a href=\"https:\/\/www.linkedin.com\/in\/joswr1ght\/\">Joshua Wright<\/a>, faculty fellow of the\u00a0SANS Institute\u00a0and technical director at Cyber Hack Challenges.<\/p>\n<p><a href=\"https:\/\/www.linkedin.com\/in\/johnealfordii\/\">John Alford<\/a>, CSO at TeraType, an adviser to pharmaceutical, financial, and SaaS firms on cybersecurity, compliance, audit and AI governance, says legacy mindsets are also to blame.<\/p>\n<p>\u201cMany organizations still defend their environments as if threats march up to the front gate when in reality the most effective attackers slip in through the service corridors that nobody monitors,\u201d Alford says. \u201cThe Marks &amp; Spencer situation proved this: A help desk workflow became a quiet passage into production because it relied on trust by default.\u201d There appeared to be no strong caller verification processes, no step-up checks, and no guardrails on what support staff could change, he adds.<\/p>\n<p>The Salesforce ecosystem breaches demonstrate another common blind spot: Once attackers capture a token or exploit a permissive integration, they gain the full authority of a trusted insider. \u201cCompanies that rely on perimeter controls and MFA alone never see this risk because they are not watching the right places,\u201d Alford says.<\/p>\n<h2 class=\"wp-block-heading\" id=\"the-csos-role-in-vetting-it-vendors\">The CSO\u2019s role in vetting IT vendors<\/h2>\n<p>Cyber obligations are already written into IT services and SaaS contracts, but \u201cthere are limits to what companies can do,\u201d says <a href=\"https:\/\/www.mayerbrown.com\/en\/people\/l\/lilley-stephen\">Stephen Lilley<\/a>, partner at law firm Mayer Brown. \u201cCompanies are unlikely to be able to impose cyber requirements that go beyond what is commonly seen in the relevant market. And even sophisticated companies still experience cyber incidents \u2014 meaning that IT providers, like their customers, are unable to entirely eliminate the risk from these attacks.\u201d<\/p>\n<p>Although risk eradication is not possible, better mitigation is. Here, CSOs can play a crucial role.<\/p>\n<p>\u201cCSOs are uniquely able to see across the full business process \u2014 data flows, dependencies, and downstream impact\u00a0\u2014 but many organizations still don\u2019t use that perspective to reassess third-party risk as reliance grows,\u201d says <a href=\"https:\/\/www.linkedin.com\/in\/cisorandygross\/\">Randy Gross<\/a>, CISO for CompTIA. \u201cCross-functional collaboration is a core CSO imperative: partnering early with procurement, legal, IT, and business leaders so security, resilience, and exit risk are designed in, not bolted on.\u201d<\/p>\n<p>When engagements are initiated at the business-unit level or come in below financial approval thresholds, CSOs may not even be aware of them.<\/p>\n<p>\u201cIn many organizations, security leaders are brought in only after a contract is executed or \u2014 worse \u2014 after a security issue arises,\u201d says <a href=\"https:\/\/www.clarkhill.com\/people\/melissa-k-ventrone\/\">Melissa Ventrone<\/a>, leader of law firm Clark Hill\u2019s cybersecurity, data protection, and privacy practice. \u201cThey should be involved \u2026 [and] their involvement does not need to slow the contracting process.\u201d<\/p>\n<p>In fact, CSOs can act as a \u201cpragmatic technology advisor\u201d says CompTIA\u2019s Gross, seeking critical information they are uniquely qualified to assess.<\/p>\n<h2 class=\"wp-block-heading\" id=\"vital-vendor-questions-cisos-should-ask\">Vital vendor questions CISOs should ask<\/h2>\n<p>To gain that critical information, security leaders and experts recommend CSOs ask IT partners the following cyber-specific questions.<\/p>\n<h3 class=\"wp-block-heading\" id=\"1-what-attestation-will-you-provide-to-prove-proper-security-controls-are-in-place\">1. What attestation will you provide to prove proper security controls are in place?<\/h3>\n<p>These are essential, says <a href=\"https:\/\/onapsis.com\/leadership\/juan-pablo-perez-etchegoyen\/\">Juan Pablo Perez-Etchegoyen<\/a>, CTO for cybersecurity and compliance platform Onapsis. Some of the most commonly used include:<\/p>\n<ul class=\"wp-block-list\">\n<li><strong>SOC 2 Type II Report:<\/strong> considered the gold standard audit for IT and cloud service providers<\/li>\n<li><strong>ISO\/IEC 27001 certification:<\/strong> an international standard for information security<\/li>\n<li><strong>Cloud Security Alliance STAR:<\/strong> a registry specific to cloud providers that combines ISO 27001 with a controls matrix for cloud-related risks<\/li>\n<li><strong>Industry-specific attestations:<\/strong> for example, HIPAA\/HITRUST for handling healthcare data, or PCI DSS for storing or processing credit card data.<\/li>\n<\/ul>\n<h3 class=\"wp-block-heading\" id=\"2-how-do-you-maintain-and-update-cybersecurity-controls-over-time-and-how-will-we-be-notified-of-material-changes\">2. How do you maintain and update cybersecurity controls over time, and how will we be notified of material changes?<\/h3>\n<p>Would-be clients should have IT partners complete a detailed due diligence questionnaire and contractually obligate them to notify the company of any material changes that would require updates to their responses, advises Clark Hill\u2019s Ventrone.<\/p>\n<p>\u201cAt a minimum, IT vendors should be prohibited from changing security controls that would decrease the security, protection, or resiliency of its systems and company data,\u201d she says.<\/p>\n<h3 class=\"wp-block-heading\" id=\"3-who-on-your-team-is-capable-of-altering-our-identity-posture-and-what-prevents-a-social-engineered-request-from-triggering-that-action\">3. Who on your team is capable of altering our identity posture, and what prevents a social engineered request from triggering that action?<\/h3>\n<p>CSOs can begin with general access inquiries: what access the provider\u2019s team has to customer systems and data, and how that access is segmented and secured, Stratascale\u2019s Corcoran says. Access should be limited by role, with least privilege enforced and multifactor authentication, single sign-on, and network segmentation in place.<\/p>\n<p>Look for \u201clogged, monitored, and immediately revocable access \u2014 ideally aligned with access control best practices from the NIST RMF function, which emphasizes least privilege and separation of duties,\u201d Corcoran says.<\/p>\n<p>Then CSOs can get specific. \u201cMany clients focus on firewalls, endpoint agents, and MFA while overlooking the trust pathways that attackers prefer to use,\u201d Alford says. Help desk workflows, OAuth integrations, supplier support portals, and automation connectors typically get less scrutiny even though they can alter identity states or extract large volumes of data with a single action.<\/p>\n<p>CSOs should look for strictly defined role scopes, multi-step verification, step-up authentication, and approval chains for credential resets. \u201cAnything short of that signals a blind spot that no amount of technical hardening will cover,\u201d says Alford.<\/p>\n<h3 class=\"wp-block-heading\" id=\"4-how-can-we-verify-the-workflows-you-use-when-onboarding-offboarding-or-resetting-access-and-can-you-show-evidence-of-how-these-workflows-performed-last-quarter\">4. How can we verify the workflows you use when onboarding, offboarding, or resetting access, and can you show evidence of how these workflows performed last quarter?<\/h3>\n<p>Many companies underestimate how much operational trust they blindly hand over to providers. IT partners should offer workflow maps, execution logs, and testing records, not just policy documents.<\/p>\n<p>\u201cThe most significant gaps appear in the places people assume are safe. I have seen mature organizations with strong 27001 programs, disciplined PCI controls, and well-run internal security teams fall to issues that lived entirely inside vendor workflows,\u201d Alford notes. \u201cHelp desk resets, poorly scoped automation tokens, and inherited admin rights all surfaced in post-incident reviews as quiet pathways that no one had modeled.\u201d<\/p>\n<p>Risk assessments should focus not just on servers and networks but identity workflows and human-operated processes as well. \u201cWhen you widen the lens, you often discover controls that look strong on paper but behave differently in practice,\u201d Alford says.<\/p>\n<h3 class=\"wp-block-heading\" id=\"5-what-independent-testing-do-you-conduct-and-how-often-is-it-performed\">5. What independent testing do you conduct, and how often is it performed?<\/h3>\n<p>IT partners should have a third party run security tests and assessments, and provide copies or executive summaries of these vulnerability scans, penetration tests, and other audits at least annually and whenever there are material changes to their network, infrastructure, or security controls, Clark Hill\u2019s Ventrone says.<\/p>\n<p>ThreatLocker CEO <a href=\"https:\/\/www.linkedin.com\/in\/dannyjenkinscyber\/\">Danny Jenkins<\/a> stresses frequency: \u201cThreats are always evolving, so a\u00a0once-a-year audit\u00a0is not sufficient. All systems should be undergoing regular penetration testing and improvement.\u201d\u00a0<\/p>\n<h3 class=\"wp-block-heading\" id=\"6-can-you-list-every-oauth-integration-and-privileged-api-relationship-in-your-service-and-explain-how-each-is-scoped-rotated-monitored-and-revoked\">6. Can you list every OAuth integration and privileged API relationship in your service and explain how each is scoped, rotated, monitored, and revoked?<\/h3>\n<p>\u201cOAuth integrations are often treated as harmless conveniences rather than high-privilege conduits,\u201d Alford explains. \u201cIn reality, they function like a network of forgotten tunnels. They bypass the front gate entirely and connect systems deep inside the environment.\u201d<\/p>\n<p>Companies should ask service partners to provide a token inventory, minimal scopes, finite lifetimes, and behavioral monitoring. Broad or permanent tokens are red flags, signaling elevated risk.<\/p>\n<h3 class=\"wp-block-heading\">7. If an attacker abused one of your processes <em>without<\/em> breaching your systems, what are your contractual and operational commitments?<\/h3>\n<p>\u201cThese agreements often hand providers the practical ability to alter identity states, access sensitive data, or operate parts of the production environment. That level of delegated trust deserves the same scrutiny as hiring a senior operations leader,\u201d says Alford. \u201cWhen providers can reset passwords or manage OAuth integrations, the contract becomes a control document. It defines how risk will be shared and what evidence the client can demand.\u201d<\/p>\n<p>Without CSO involvement, contractual clauses are usually weak. \u201cThey focus on uptime rather than security, and they rarely require the provider to support strong authentication, tamper-evident logging, or event-level transparency,\u201d Alford adds. Clients should insist on obligations tied to process compromise, not just system compromise.<\/p>\n<h3 class=\"wp-block-heading\" id=\"8-what-controls-govern-your-staffs-activity-in-our-environment-and-how-would-we-detect-if-a-privileged-session-deviated-from-expected-behavior\">8. What controls govern your staff\u2019s activity in our environment, and how would we detect if a privileged session deviated from expected behavior?<\/h3>\n<p>\u201cModern attacks flow through trust relationships and soft operational processes,\u201d Alford points out. \u201cThey exploit the places where no one expects danger \u2014 like help desks.\u201d<\/p>\n<p>As a result, controls on vendor staff behavior and detection of deviations are critical. Companies should insist on session recording, real-time alerts, and segregation of duties, Alford advises.<\/p>\n<p>\u201cRapid detection and revoking access can make all the difference in an incident,\u201d Onapsis\u2019 Perez-Etchegoyen adds. Continuous application-level monitoring, clear incident response procedures, and the ability to immediately disable users or integrations are key.<\/p>\n<h3 class=\"wp-block-heading\" id=\"9-how-will-you-isolate-our-assets-and-data-from-other-customers-including-identity-separation-automation-boundaries-and-admin-segregation\">9. How will you isolate our assets and data from other customers \u2014 including identity separation, automation boundaries, and admin segregation?<\/h3>\n<p>CSOs should seek architectural clarity and concrete mechanisms that limit blast radius, says Alford. They should also ask how the IT partner manages the cybersecurity risks posed by their value chains of vendors and subcontractors.<\/p>\n<p>\u201cIT partners should have a robust vendor management program and conduct appropriate due diligence on their own service providers,\u201d advises Ventrone.<\/p>\n<h3 class=\"wp-block-heading\" id=\"10-how-quickly-will-you-notify-us-of-a-security-incident-that-impacts-our-data-or-systems\">10. How quickly will you notify us of a security incident that impacts our data or systems?<\/h3>\n<p>\u201cThe biggest gains come from simple steps,\u201d says CompTIA\u2019s Gross, including gaining clarity on how incidents are disclosed and outages are handled.<\/p>\n<p>CSOs should look for guaranteed notification within 24 to 72 hours, a tested incident response plan, and clearly defined breach reporting timelines and responsibilities written into the contract, says Stratascale\u2019s Corcoran.<\/p>\n<p>When an incident occurs, \u201cIT partners should provide customers with sufficient information to perform their own threat analysis,\u201d Alford says. \u201cIf an IT partner doesn\u2019t provide the insight needed to identify attacks against their customers, then customer organizations can only rely on the detection and reporting capabilities of the hosting provider.\u201d<\/p>\n<h3 class=\"wp-block-heading\" id=\"11-how-do-you-identify-prioritize-and-remediate-vulnerabilities\">11. How do you identify, prioritize, and remediate vulnerabilities?<\/h3>\n<p>Review of IT partner\u2019s patching policies and remediation timelines should never be overlooked, as many cyberattacks exploit known vulnerabilities. \u201cSlow patch cycles lead to supply chain disruptions, business operational issues, and even bankruptcy in some cases,\u201d says Perez-Etchegoyen, who emphasizes SLAs related to critical patches and proof that fixes are validated.<\/p>\n<p>Ventrone gives the example of a company that outsourced firewall management to a vendor. After a vulnerability in the firewall was exploited, the vendor ended up restoring the vulnerable version, resulting in a second compromise. In another example, a client found out that its IT partner, which had experienced a ransomware attack through its VPN, patched just once a month.<\/p>\n<p>\u201cI literally could not believe this was considered sufficient,\u201d Ventrone says.<\/p>\n<h3 class=\"wp-block-heading\" id=\"12-do-you-carry-enough-cyber-insurance-to-cover-the-impact-to-all-your-customers\">12. Do you carry enough cyber insurance to cover the impact to all your customers?<\/h3>\n<p>\u201cWe\u2019re going to see a lot more attacks against SaaS providers,\u201d says SANS Institute\u2019s Wright. \u201cAttackers have lots of motive here since the access obtained when a SaaS provider is compromised is significant, with lots of subsequent opportunity for ransomware, extortion, and direct harassment attacks against customers.\u201d<\/p>\n<p>Ventrone says clients should confirm their provider\u2019s policy covers not only themselves but the full impact of a multi-customer incident.<\/p>\n<h3 class=\"wp-block-heading\" id=\"13-can-we-test-your-processes\">13. Can we test your processes?<\/h3>\n<p>Attestations regarding cybersecurity testing and monitoring \u2014 such as regular penetration testing, 24\/7\/365 security monitoring, threat hunting \u2014 are essential, Wright says.<\/p>\n<p>But Alford recommends going a step further. \u201cLots of firms do questionnaire-based reviews that confirm policies exist but rarely test how provider processes work in practice. They assume a support vendor has strong verification steps. They assume an integration partner follows least privilege. They assume a SaaS platform has adequate logging for delegated access,\u201d says Alford, warning against presumptions.<\/p>\n<p>\u201cVerification through evidence, realistic scenarios, and process testing changes everything,\u201d he says. \u201cIt exposes where risk actually lives and gives you the ability to design controls that match how attackers think rather than how documentation reads.\u201d<\/p>\n<h2 class=\"wp-block-heading\" id=\"ongoing-diligence-necessary\">Ongoing diligence necessary<\/h2>\n<p>\u201cRecent incidents underscore that many organizations are not adequately managing third-party risk over the full lifecycle of their IT provider relationships,\u201d notes Clark Hill\u2019s Ventrone, adding that too often due diligence is treated as a one-time exercise, with insufficient ongoing oversight to ensure that security controls and procedures remain appropriate as systems evolve.<\/p>\n<p>Stratascale\u2019s Corcoran also notes that cyber due diligence often falls through the cracks. \u201cMany client organizations still fall short in managing third-party risk because it\u2019s often treated as a collateral duty, split between procurement and general risk functions rather than a dedicated, optimized process,\u201d he says. \u201cAs a result, business stakeholders remain unsatisfied and critical risks go unmitigated, even as attackers increasingly exploit weaker links in the supply chain.\u201d<\/p>\n<p>Increasingly, partners in the IT ecosystem are being seen by cybercriminals to be those weaker links.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>Increased reliance on IT service providers, digital tools, and third-party software is greatly expanding the enterprise attack surface, with noteworthy cyberattacks over the past year underscoring this fact.\u00a0 In October 2025, Marks &amp; Spencer terminated its longtime helpdesk deal with outsourcing giant Tata Consultancy Services following a cyberattack that cost the British retailer an estimated \u00a3300 million and temporarily shut down its online business. In&#8230; <\/p>\n<p class=\"more\"><a class=\"more-link\" href=\"https:\/\/newestek.com\/?p=15515\">Read More<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-15515","post","type-post","status-publish","format-standard","hentry","category-uncategorized","is-cat-link-borders-light is-cat-link-rounded"],"_links":{"self":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/15515","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=15515"}],"version-history":[{"count":0,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/15515\/revisions"}],"wp:attachment":[{"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=15515"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=15515"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=15515"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}