6.3. Third-Party Risk Management
š” First Principle: Your security is only as strong as your weakest vendor. When you share data with a third party, grant them network access, or depend on their service, their security posture becomes part of yours. The SolarWinds and Kaseya attacks demonstrated that a trusted vendor can be the most devastating attack vector.
What breaks without third-party risk management? You encrypt your data, harden your systems, train your employees ā and then your payroll provider stores employee SSNs in an unencrypted database that gets breached. Your security perimeter extends to every vendor that touches your data or your network. If you don't assess and monitor their security, you have a blind spot in your risk posture.
Unlike internal risks (which you control directly), third-party risks require contracts, assessments, and monitoring because you can't dictate another organization's security operations. You can only verify, require, and monitor ā which makes the contractual framework critical.
