vCISO Lite - No CISO, No Problem

The Vendor That Took You Down

A startup founder shared this story: their payment processor had a breach. Customer card data was exposed—through no fault of their own code. But customers didn't blame the processor. They blamed the startup that chose to use them.

Third-party risk is your risk. Every vendor with access to your data, your systems, or your customers extends your attack surface. And enterprise customers increasingly want proof that you manage this risk systematically.

This guide shows you how to build a third-party risk management program that's thorough enough to satisfy auditors but practical enough to actually use.

62%

of breaches involve third parties

Ponemon Institute

51%

of companies experienced third-party breach

CyberGRX

5.5mo

longer to identify third-party breaches

IBM

What Is Third-Party Risk Management?

Third-party risk management (TPRM) is the practice of identifying, assessing, and mitigating risks from vendors, suppliers, and partners. It answers three questions:

Who are our third parties? — Inventory of all vendors with access to data or systems.
What risk do they create? — Assessment of each vendor's security posture and access level.
How do we manage that risk? — Controls, contracts, and monitoring to reduce exposure.

The Core Truth

You're only as secure as your least secure vendor with access to sensitive data. A sophisticated security program means nothing if your email marketing tool gets breached and exposes your customer list.

Building Your Vendor Inventory

What Counts as a Third Party?

Definitely Include:

Cloud infrastructure (AWS, GCP, Azure)
SaaS tools with company data
Payment processors
Customer support platforms
Analytics and tracking tools
HR and payroll systems
Code repositories and CI/CD

Often Overlooked:

Marketing automation tools
Sales CRM and outreach tools
Design and collaboration tools
Background check services
Contractors and consultants
Open source dependencies
Browser extensions (company-wide)

Information to Track

For each vendor, document:

Basic Info — Name, contract owner, renewal date, cost
Data Access — What data do they have access to?
Access Type — Read only? Write? Admin?
Integration Method — API, SSO, direct database access?
Risk Tier — Critical, High, Medium, Low
Last Assessment — When did you last review their security?
Compliance Certifications — SOC 2, ISO 27001, etc.

Risk Tiering: Not All Vendors Are Equal

You can't deeply assess every vendor. Tier them by risk to focus effort where it matters:

Tier

Criteria

Assessment Level

Critical

Customer data, financial systems, core infrastructure

Full security assessment, annual review

High

Employee PII, internal systems, significant access

Security questionnaire, SOC 2 review

Medium

Limited data access, operational tools

Basic questionnaire, certification check

Low

No sensitive data, minimal access

Terms review, basic due diligence

The 80/20 Rule

Typically 20% of your vendors create 80% of your third-party risk. Identify your critical and high-risk vendors first. A thorough assessment of your top 10 vendors beats a superficial review of all 100.

The Vendor Assessment Process

1. Pre-Contract Assessment

When: Before signing a contract or granting access.

Security Questionnaire — Ask about their security controls and practices.
Certification Review — Request SOC 2 report, ISO 27001 certificate.
Privacy Review — How do they handle data? DPA required?
Reference Check — Any known breaches or security incidents?

2. Ongoing Monitoring

When: Throughout the relationship.

Annual Reassessment — Update questionnaire, review new SOC 2 reports.
Security News Monitoring — Watch for reported breaches or vulnerabilities.
Performance Review — Any incidents during the year?
Contract Compliance — Are they meeting security commitments?

3. Exit/Offboarding

When: Ending the relationship.

Access Revocation — Remove all their access immediately.
Data Return/Deletion — Get your data back, confirm deletion.
Documentation — Record what data they had and confirmation of deletion.

What to Ask in Vendor Assessments

Key Security Questions

Access & Authentication:

Do you enforce MFA for all employees?
How is customer data access controlled?
Do you have privileged access management?
What's your employee offboarding process?

Data Protection:

Is data encrypted at rest and in transit?
Where is data stored (geographic location)?
How long do you retain customer data?
Can you delete data upon request?

Incident Response:

Do you have an incident response plan?
What's your breach notification timeline?
Have you had any breaches in the past 3 years?
Do you have cyber insurance?

Compliance & Audit:

Do you have SOC 2 Type II?
What other certifications do you hold?
When was your last penetration test?
Who are your subprocessors?

Contractual Protections

Security assessments tell you about current state. Contracts create ongoing obligations:

Security Requirements — Minimum controls they must maintain.
Audit Rights — Your right to assess their security or request reports.
Breach Notification — Requirement to notify you of incidents (72 hours typical).
Data Handling — How they can use your data (only for service delivery).
Subprocessor Approval — Notification or consent for new subprocessors.
Data Return/Deletion — What happens to data when the contract ends.
Insurance Requirements — Minimum cyber insurance coverage.
Indemnification — Liability allocation for breaches.

Contract Reality

Big vendors won't negotiate much. But you can still: (1) read their terms carefully, (2) ensure DPA is signed, (3) document the risk you're accepting, and (4) factor security posture into vendor selection when alternatives exist.

Common Third-Party Risk Mistakes

Mistake 1: One-Time Assessment

Assessing vendors only at onboarding misses changes over time. Vendors get acquired, change practices, or suffer breaches. Reassess critical vendors annually at minimum.

Mistake 2: Trusting Certifications Blindly

SOC 2 doesn't mean "secure." It means they have controls that an auditor tested. Read the report, especially the "Complementary User Entity Controls" section—those are things YOU need to do.

Mistake 3: Forgetting Shadow IT

Your inventory is only useful if it's complete. Marketing signed up for a new tool with customer data? That's a third party. Build a process to capture new vendors as they're onboarded.

Mistake 4: All Assessment, No Action

Finding risks is pointless without remediation. If a vendor fails your assessment, you need to: (1) require remediation, (2) add compensating controls, or (3) find an alternative. Assessment without action is security theater.

Quick Start: Your First Week

Day 1-2: Build Initial Inventory

List all vendors that access company or customer data. Check with finance (who do we pay?), IT (what's connected?), and department heads.

Day 3: Tier by Risk

Categorize each vendor as Critical, High, Medium, or Low based on data access and business impact.

Day 4-5: Assess Top 5

For your 5 highest-risk vendors: Do they have SOC 2? Request the report. Review their security practices.

Day 6-7: Document and Plan

Create your vendor register template. Document assessment findings. Plan ongoing assessment schedule.

Next Steps

Third-party risk management isn't about eliminating vendors—it's about understanding and managing the risk they create. Start with visibility (who are your vendors?), then add assessment (what's their security posture?), then controls (contracts, monitoring, alternatives).

Focus on your critical vendors first. A deep assessment of your top 10 third parties beats a superficial spreadsheet of 100.

Managing vendor risk? vCISO Lite includes vendor risk management with assessment templates, risk tiering, and tracking—so you can demonstrate third-party due diligence to customers and auditors.

Third-Party Risk Management for Growing Companies