SANS – Trust Your Vendors, Do You?

Organizations increasingly depend on vast ecosystems of thirdparty vendors, expanding their operational capacity—but also their attack surface and risk exposure. This talk challenges trustby-default approaches to vendor relationships and makes the case for a modern, thirdparty risk management (TPRM) program. We begin by framing why vendor risk matters, examine realworld breach case studies to illustrate how upstream dependencies and fourthparty links can amplify impact. The session will highlight regulatory drivers—NIS2, DORA, and GDPR—and translates them into practical expectations for supplychain security, continuous oversight, and incident reporting. We analyze limitations of traditional questionnaires (SIG/CAIQ), which are static, selfreported, and often out of date, and propose a continuous TPRM lifecycle: riskbased vendor tiering, due diligence proportional to criticality, automated external posture monitoring, corrective action tracking, and secure offboarding.