Third-party technology tools promise efficiency, scale and all the digital bells and whistles execs need to keep productivity humming and power growth—but not all tools are created equal. Cloud platforms, SaaS productivity suites, niche workflow apps and industry-specific managed services can all introduce unseen risk when they plug into core systems. However, in many companies, third-party risk management continues to fly under the radar—even though 30% of enterprise data breaches involve a third party.
From misaligned encryption standards and unclear data flows to vendors that treat compliance like a box-checking exercise, there are significant risks that can come with working with third-party vendors and SaaS tools. As experts in enterprise cybersecurity strategies, data breach prevention, risk management and regulatory compliance, the members of the Senior Executive Cybersecurity Think Tank know that to operate on trust when working with tech vendors is to court disaster. Below, three of them share the details to dig into before entering into a partnership with a third-party vendor or software provider.
“Third-party vendors should easily be able to provide documentation, validated by a separate third party, regarding recent penetration tests and technical security controls surrounding the solution.”
Ensure Any New Solution Has Been Built With Security in Mind
Eoin Keary, CEO of Edgescan Inc., says that, at minimum, a new solution should not introduce additional risk to an organization. He says executives should start with one core question: Was this product built with security in mind? To make that determination, he stresses the importance of digging into how the vendor develops, tests and maintains its product.
“Executives should ask what compliance standards are followed and—importantly—how data is stored, contained and transferred,” Keary says.
He stresses that leaders should ask for solid documentation, noting that vendors should be ready to produce evidence, not just vague reassurances.
“Third-party vendors should easily be able to provide documentation, validated by a separate third party, regarding recent penetration tests and technical security controls surrounding the solution, including compliance, development and ongoing security controls.”
Keary also urges executives to verify how vendors treat disaster scenarios. These questions reveal whether the vendor treats security as a foundational requirement or an afterthought bolted on during a sales cycle.
“They should be able to guarantee data security and data sovereignty, encryption standards, and disaster recovery and backup procedures,” Keary asserts.
“Clear requirements reduce friction, strengthen compliance alignment and create more secure, sustainable partnerships.”
Set Clear Expectations Before Signing on the Dotted Line
Leah Dodson, Founder of Piqued Solutions, believes many companies get third-party risk backward. She says that instead of learning about the security standards and practices vendors follow after the sale, leaders should establish expectations before any partnership begins.
“Executives set the tone for security by establishing clear, nonnegotiable expectations before the partner onboarding process,” Dodson says.
She notes that the vetting process should cover the vendor’s encryption standards and access controls and verify that incident response policies are aligned with the organization’s internal governance framework (indeed, the essential first step for many companies may be creating an internal governance framework; 48% of companies don’t have one).
Getting these requirements on the table early eliminates ambiguity and prevents misalignment from sneaking into the partnership. From there, Dodson says leaders should evaluate how the vendor’s systems fit into their existing stack.
“Assess how the vendor’s work fits within your environment, how their systems integrate and what safeguards are built into their operations,” she says.
Dodson also encourages executives to look for signs of a disciplined security posture. “Look for maturity in terms of how they manage updates, control access, monitor for threats and respond to incidents.”
Executives who are upfront about what they demand won’t faze responsible vendors, who will welcome the chance to build a strong, scalable and long-term partnership.
“Clear requirements reduce friction, strengthen compliance alignment and create more secure, sustainable partnerships,” Dodson says.
“Growth depends on speed, but resilience depends on trust. You need to know where your risks travel before they arrive at your door.”
Treat Security as a Shared Responsibility, Not Fine Print
For Maman Ibrahim, Founder of Ginkgo Resilience LTD, understanding a vendor’s security posture begins with asking the right questions—and lots of them. He believes a vendor’s answers reveal whether they view security as a joint responsibility or simply a contractual checkbox.
“Executives should ask a lot of questions, including, ‘What data do you collect, store or process on our behalf? Where is it stored, and who has access?’” Ibrahim says. These questions surface the power dynamics behind data handling and clarify whether the vendor has visibility into and control of their own environment.
Ibrahim also urges leaders to probe deeper into the vendor’s security operations by asking about encryption, backup and incident response protocols, as well as how often the vendor conducts security testing. And he shares an essential follow-up question about that testing: “Will you share results?” Transparency here is critical. Any hesitancy to provide details—or to share testing results—should raise an immediate red flag.
Ibrahim emphasizes the importance of mapping the vendor’s supply chain as well; layers of dependency can be an unseen vulnerability.
“Ask, ‘Do you vet your own third parties, and how deep does your supply chain go?’” he counsels. “Further, ask, ‘Who owns security accountability on your side?’”
Ibrahim stresses that compliance claims should be verified, not assumed, noting that vendors should be able to demonstrate compliance with relevant standards like DORA, NIS2, ISO 27001 or SOC 2.
For Ibrahim, these questions aren’t just administrative due diligence—they’re strategic planning. “Growth depends on speed, but resilience depends on trust,” he says. “You need to know where your risks travel before they arrive at your door.”
Your Third-Party Security Playbook
- Confirm the product was built with security at its core. If a vendor can’t clearly explain how they develop, test and maintain the product securely, it isn’t ready for enterprise deployment.
- Request evidence of security controls, not verbal assurances. Ask for independently validated documentation on penetration tests, technical controls and compliance practices.
- Set nonnegotiable requirements before evaluating vendors. Define expectations for encryption, access controls and incident response upfront to eliminate ambiguity later.
- Evaluate how the vendor integrates into your environment. Ensure the vendor’s systems, safeguards and operations fit your governance framework and won’t introduce unnecessary friction.
- Ask detailed questions about data handling and supply chain dependencies. Clarify what data the vendor collects, where it lives, who accesses it and how the vendor vets their own third parties.
- Verify transparency and compliance maturity. Require security testing results and proof of conformity with standards such as ISO 27001 or SOC 2 to gauge the vendor’s accountability.
Holding the Line on Third-Party Risk
As organizations expand their tech stacks and deepen their reliance on external providers, third-party risk becomes a structural—and strategic—issue rather than a side concern. The insights shared here highlight a simple truth: evaluating vendors with rigor is not a drag on innovation but the guardrail that keeps momentum from veering into avoidable risk.
Looking forward, third-party oversight will only grow more complex as ecosystems stretch across borders, cloud layers and supply chains. Organizations must be prepared to treat vendor security as a living discipline—one that demands continual questioning, evidence-backed accountability and a refusal to accept opacity where clarity is possible.
