Third-Party Risk Management
The Problem with Trust
Every SaaS tool your team adopts extends your attack surface. When a vendor gets breached, your data goes with it. The 2023 MOVEit breach affected over 2,600 organizations because one file transfer vendor had a SQL injection vulnerability. The Okta breach rippled through to customers like Cloudflare and 1Password. Your security posture is only as strong as your weakest vendor.
Tiered Assessment Framework
Not every vendor deserves the same scrutiny. Build a tiering model based on two dimensions: what data does the vendor access, and how critical is the vendor to business operations?
Tier 1 (Critical) - Vendors with access to customer PII, production infrastructure, or authentication systems. Examples: cloud providers, identity providers, payment processors. Require SOC 2 Type II, penetration test summaries, insurance certificates, and detailed architecture reviews. Reassess annually.
Tier 2 (Important) - Vendors with access to internal data or supporting business-critical functions. Examples: project management tools, CI/CD platforms, monitoring services. Require SOC 2 Type II and a completed security questionnaire. Reassess every two years.
Tier 3 (Standard) - Vendors with minimal data access. Examples: design tools, documentation platforms, expense management. Require basic security posture verification. Self-service questionnaire or trust center review is sufficient.
Vendor Security Reviews in Practice
When evaluating a Tier 1 vendor, go beyond the checkbox. Read the SOC 2 report carefully. Look at the exceptions section. Check if the auditor noted any control failures. Review the management response. A clean SOC 2 report is good. A SOC 2 report with five exceptions and hand-wavy management responses is a red flag.
Ask for their latest penetration test executive summary. You will not get the full report, but the summary shows scope, severity of findings, and remediation timeline. Ask about their incident response plan and when they last tested it. Ask about their encryption practices, key management, and data retention policies.
Ongoing Monitoring
Point-in-time assessments age quickly. Between annual reviews, monitor vendor risk continuously. Tools like SecurityScorecard, BitSight, and RiskRecon provide outside-in risk ratings based on publicly observable data: exposed services, DNS configuration, certificate management, and known vulnerabilities. Set up alerts for significant score drops.
Track vendor access continuously too. Use your IdP (Okta, Azure AD) logs to monitor which vendors are authenticating via SSO and what scopes they access. Revoke access for vendors no longer in use. Conduct quarterly access reviews specifically for third-party integrations.
Business Continuity Planning
For every Tier 1 vendor, document an exit strategy. What happens if they go down for a week? What happens if they get acquired and change their pricing or terms? Can you export your data? How long would migration to an alternative take? These are not hypothetical questions. They are the questions your leadership will ask during the next major vendor incident, and you need answers ready before that happens.
Key Points
- •Vendor security assessments should be proportional to data sensitivity and business criticality. Not every SaaS tool needs a full security review
- •SOC 2 Type II reports are the baseline for vendor evaluation, but reading the report matters more than just confirming it exists
- •Vendor concentration risk is a real operational threat. If a critical vendor goes down or gets acquired, your recovery plan needs to be more than 'we will figure it out'
- •Shadow IT accounts for an estimated 30-40% of enterprise SaaS spending. If you cannot see it, you cannot assess the risk
- •Contractual security requirements must be negotiated before signing, not after an incident. Include data handling, breach notification, and right-to-audit clauses
Common Mistakes
- ✗Performing vendor assessments at procurement time and never revisiting them, even as the vendor's access scope changes
- ✗Accepting a SOC 2 report without reading the exceptions and management responses
- ✗Failing to maintain an inventory of all third-party integrations, especially those with API access to production data
- ✗Not including security requirements in vendor contracts and having no contractual leverage after a vendor breach