Trust Your Vendors, Do You?

Organizations increasingly depend on vast ecosystems of third party vendors, expanding their operational capacity—but also their attack surface and risk exposure. This talk challenges trust by-default approaches to vendor relationships and makes the case for a modern, third party risk management (TPRM) program. We begin by framing why vendor risk matters, examine real world breach case studies to illustrate how upstream dependencies and fourth party links can amplify impact. The session will highlight regulatory drivers—NIS2, DORA, and GDPR—and translates them into practical expectations for supply chain security, continuous oversight, and incident reporting. We analyze limitations of traditional questionnaires (SIG/CAIQ), which are static, self reported, and often out of date, and propose a continuous TPRM lifecycle: risk based vendor tiering, due diligence proportional to criticality, automated external posture monitoring, corrective action tracking, and secure off boarding. Participants will leave with actionable items to embed TPRM into procurement, legal, and IT workflows; strategies to require flow down security in subcontractor chains; and pragmatic steps to start small, demonstrate value, and scale. Resulting in a repeatable approach that strengthens resilience, improves compliance, and replaces blind trust with verifiable assurance. Learning Objectives - Understand and prioritize risk: Explain how third and fourth party ecosystems expand the attack surface and regulatory exposure (NIS2, DORA, GDPR), and map key dependencies to prioritize vendor risks. - Implement a continuous TPRM lifecycle: Apply risk based tiering, evidence based due diligence, automated monitoring, corrective action tracking, and secure off boarding—embedded in procurement and legal workflows. Learn more about Jan, https://www.sans.org/profiles/jan-dherdt This session supports concepts from LDR512: Security Leadership Essentials for Managers. To learn more about this course and exp