Episode 198: Vendor Risk and Supply Chain Considerations (Domain 5)

A growing portion of cybersecurity risk now comes from outside the organization—specifically, through third-party vendors, suppliers, and service providers. In this episode, we examine how to assess and manage vendor risk across the full lifecycle, starting with due diligence during procurement and continuing through onboarding, monitoring, and offboarding. We explore how to evaluate vendors based on their security policies, compliance certifications, breach history, and contract terms—especially service-level agreements (SLAs) and right-to-audit clauses. Supply chain security goes beyond software and hardware providers—it includes contractors, cloud services, and even logistics partners whose failure could impact business operations. We also cover how to tier vendors by criticality, apply targeted controls, and track third-party risks through assessments and questionnaires. When you extend your network to a vendor, you extend your risk—and smart organizations manage it proactively.