In today's interconnected digital world, third-party risks have become one of the most significant challenges for organizations. From ransomware to supply chain compromises, the evolving cyber threat landscape demands continuous vigilance and innovative solutions. In this blog post, we delve into expert insights shared by Michael Centrella, Head of Public Policy at SecurityScorecard and former Assistant Director of the US Secret Service, during his appearance on the Risk Management Show podcast.
When Cybersecurity Gets Personal: Real Consequences of Third-Party Risk
Cybersecurity headlines often focus on massive data breaches or shadowy hackers, but the true impact of third-party risk management is far more personal—and far-reaching—than many realize. In today’s hyper-connected digital ecosystem, a single weak link in the supply chain can trigger a cascade of consequences, affecting not just corporations, but individuals, communities, and even national infrastructure.
From One Vendor to Industry-Wide Chaos: A Real-World Wake-Up Call
Consider the story of a small software vendor that provided a seemingly innocuous update to hundreds of clients. The vendor, lacking robust cybersecurity measures, became the entry point for a sophisticated attack. Within days, not only were the vendor’s systems compromised, but the malware spread rapidly to major financial institutions, healthcare networks, and government agencies. What began as a breach at a single, resource-strapped company snowballed into cross-industry chaos, disrupting services, exposing sensitive data, and putting lives at risk.
This scenario is not hypothetical. High-profile incidents like the SolarWinds breach and MOVEit attacks have demonstrated how supply chain vulnerabilities can escalate into global crises. These events underscore a critical truth: organizations are no longer isolated entities. Their security posture is only as strong as the weakest link in their vendor network.
Security Scorecard Research: The Alarming Scope of Vendor Breaches
Recent research from Security Scorecard paints a stark picture of the current landscape. An astonishing 99% of Global 2000 companies were connected to at least one vendor that experienced a breach in the past 15 months. The vast majority of these organizations were unaware of the vulnerabilities lurking within their supply chains until it was too late.
“A compromise of a small vendor with limited resources can suddenly become a Fortune 500 company’s problem. The reality is, your cybersecurity is only as strong as your weakest link in the supply chain.”
This interconnectedness means that even the most security-conscious organizations are exposed to risks they cannot directly control. The challenge is compounded by the sheer speed and complexity of modern digital relationships, where hundreds or thousands of vendors may be involved in delivering a single service.
Ransomware: From Financial Nuisance to National Security Threat
The evolution of ransomware exemplifies the growing danger of emerging cyber threats 2025. What once was dismissed as a financial nuisance now threatens critical public infrastructure. Hospitals have been forced to divert emergency patients, energy grids have faced shutdowns, and banks have experienced operational paralysis—all due to ransomware attacks that exploited third-party vulnerabilities.
- Healthcare: Ransomware attacks have delayed surgeries and endangered patient lives.
- Energy: Supply chain breaches have led to fuel shortages and blackouts.
- Finance: Banks have suffered service outages, impacting millions of customers.
These incidents are not isolated. They are the direct result of attackers targeting the weakest points in the supply chain, knowing that a single breach can have ripple effects across entire industries.
The True Cost: Third-Party Incident Remediation
One of the most startling findings from Security Scorecard’s research is the cost disparity between first-party and third-party breaches. Remediation for third-party incidents is approximately 17 times higher than for direct breaches. This is due to the complexity of tracing the attack, coordinating with multiple affected parties, and restoring trust across the ecosystem.
| Type of Breach | Average Remediation Cost |
|---|---|
| First-Party Breach | $X (baseline) |
| Third-Party/Supply Chain Breach | 17x $X |
The financial impact is only part of the story. The reputational damage, regulatory scrutiny, and potential loss of life associated with impact of ransomware on public infrastructure make third-party risk a top concern for organizations worldwide.
Continuous Vigilance: The New Standard for Third-Party Risk Management
Effective third-party risk management demands continuous monitoring and collaboration with vendors. Many vendors may not even be aware of their own vulnerabilities, making it essential for organizations to work proactively and rapidly to identify and address risks before they become crises. In the interconnected digital age, cybersecurity is no longer just an IT issue—it’s a matter of public trust and safety.
Continuous Doesn’t Mean Complicated: New Models for Vendor Security in 2025
For years, third-party risk management has relied on annual checklists and compliance questionnaires. While these “tick-the-box” exercises may satisfy regulatory requirements, they often create dangerous blind spots. In 2025, as supply chain attacks surge and digital ecosystems expand, organizations are discovering that continuous vendor monitoring is not only possible—it’s essential. Yet, continuous doesn’t have to mean complicated.
Annual Checklists: The Illusion of Security
Traditional third-party risk assessment tools have long centered around periodic reviews. Typically, organizations send out annual questionnaires to vendors, gathering self-reported data about security practices. This approach is increasingly obsolete. According to recent research, 88% of cybersecurity leaders are concerned about supply chain risk, yet many admit they lack true, ongoing visibility into their vendors’ security postures.
The problem is clear: Annual paperwork cannot keep pace with daily threats. Attackers exploit these gaps, targeting vendors whose risk profiles may have changed dramatically since the last assessment. Without real-time insights, organizations are left exposed to evolving vulnerabilities.
Security Scorecard: Live Ratings for Real-Time Risk
Security Scorecard has pioneered a new model for continuous monitoring for vendor security. Their platform works much like a credit score—providing a live, objective rating of an organization’s cyber risk based on non-intrusive, external data collection. This means companies can monitor not only their own security posture but also that of their entire ecosystem, including vendors, partners, and suppliers.
With coverage spanning over 17 million organizations worldwide, Security Scorecard’s ratings give boards, executives, and security teams a clear, up-to-date picture of risk. These live security ratings move beyond the paper trail, offering a dynamic, data-driven foundation for decision-making.
“Security Scorecard helps organizations see and manage cyber risk across their entire ecosystem. Our security rating model works a lot like a credit score for cybersecurity, using non-intrusive external data collection to continuously assess the security posture of more than 17 million companies worldwide.”
Introducing MAX: From Monitoring to Action
Continuous vendor monitoring is only the first step. In 2025, the focus is shifting from passive observation to active response. Security Scorecard’s new MAX platform exemplifies this evolution. MAX enables organizations to move beyond monitoring, empowering them to collaborate directly with vendors to identify, prioritize, and remediate vulnerabilities in real time.
- Collaborative Remediation: MAX allows security teams to work side-by-side with vendors, sharing findings and coordinating fixes before attackers can exploit weaknesses.
- Real-Time Alerts: Instead of waiting for annual reviews, organizations receive instant notifications of changes in a vendor’s risk profile—enabling rapid response.
- Actionable Insights: MAX translates complex security data into clear, prioritized action items, making it easier for both technical and non-technical stakeholders to understand and address risk.
Best Practices for Third-Party Risk Management in 2025
Modern third-party risk management requires a shift in mindset and tools. Here are key best practices:
- Adopt Continuous Monitoring: Replace annual questionnaires with ongoing, automated assessments using platforms like Security Scorecard.
- Integrate Security Ratings into Operations: Use live ratings to inform procurement, onboarding, and ongoing vendor management decisions.
- Collaborate with Vendors: Leverage tools like MAX to work directly with vendors on remediation, rather than relying solely on contractual obligations.
- Report to Leadership: Provide boards and executives with objective, up-to-date risk snapshots to support strategic oversight and compliance.
Bridging the Visibility Gap
One of the major misconceptions in third-party risk management is that compliance equals security. In reality, visibility is the biggest gap. Many organizations do not have a complete inventory of their third and fourth-party vendors, leaving blind spots for attackers to exploit. Continuous monitoring for vendor security, powered by live security ratings and collaborative platforms, is closing this gap.
As boards, regulators, and policymakers recognize that third-party cyber risk is now one of the biggest enterprise threats, they are increasingly embracing these new models. The shift from annual paperwork to continuous, actionable oversight is not just a trend—it’s the new standard for real security in 2025.
Beyond Tech: Why Collaboration, Trust, and Public-Private Partnerships Matter More Than Ever
In the fast-evolving landscape of cybersecurity risk management, the headlines often focus on the latest breaches, advanced tools, and emerging threats. Yet, beneath the surface, the true strength of an organization’s cybersecurity resilience building lies not just in technology, but in the relationships and trust that connect people, organizations, and sectors. Public-private collaboration in cybersecurity has become the cornerstone of effective defense, especially as third-party risk and supply chain vulnerabilities continue to dominate the threat landscape heading into 2025.
Cybersecurity is not just a technical challenge—it is a human one. The most sophisticated tools and frameworks can only go so far if they are deployed in isolation. Real security is built on a foundation of cross-ecosystem trust and collaboration, where information flows freely and stakeholders work together proactively. As one former government leader put it,
"If you’re calling law enforcement after the incident happened, then that’s way too late."
This statement captures a hard truth: reactive, siloed approaches fail, and the best time to build partnerships is long before a crisis strikes.
From the perspective of someone who has worked on both sides—government and private sector—the value of public-private partnerships in cybersecurity cannot be overstated. In roles such as Assistant Director of the Secret Service, the “bread and butter” of effective risk response was breaking down silos and building genuine partnerships. These relationships are not just about exchanging business cards; they are about establishing trust, sharing intelligence proactively, and creating a culture where information is shared continuously and transparently.
When public and private organizations share objective data and incident information, investigations move faster and defenses become stronger. Tools like security ratings and supply chain detection platforms provide a common language for assessing threats and measuring progress. However, these tools are only as effective as the trust and willingness to collaborate that underpin them. Building trust in cybersecurity partnerships is not a one-time event—it is an ongoing process that must start well before any incident occurs.
Too often, organizations reach out to law enforcement or government agencies only after a breach has taken place. This reactive approach is not only inefficient; it can also delay response and recovery, increasing the impact of the incident. Instead, organizations should develop playbooks and establish relationships with key partners ahead of time. When an attack does occur, these pre-existing partnerships allow for a coordinated, rapid response—far more effective than scrambling to build trust in the midst of a crisis.
There is also a cultural barrier that must be addressed. Some companies hesitate to involve law enforcement, fearing stigma or loss of control. But this mindset overlooks the mutual benefits of collaboration. Law enforcement agencies gain valuable intelligence from private sector partners, while organizations benefit from the expertise and resources that government can provide. It is a give-and-take relationship, where both sides grow stronger through shared information and experience.
Cybersecurity resilience building must extend across the entire ecosystem, not just within individual organizations. The supply chain is only as strong as its weakest link, and third-party risk remains a critical concern. By fostering trust and collaboration with suppliers, vendors, and partners, organizations can create a network of shared vigilance and rapid response. This holistic approach is essential for managing the complex, interconnected risks of today’s digital world.
Ultimately, the lesson is clear: effective cybersecurity is about more than just technology. It is about building a culture of trust, proactive communication, and partnership—both within organizations and across the public and private sectors. The best time to make friends is before an attack, not while cleaning up after one. As we look ahead to 2025’s next big threats, those who invest in relationships and public-private collaboration in cybersecurity will be best positioned to manage risk and build true resilience.
TL;DR: Third-party risk is the weakest link that turns headlines into disasters. 2025 will demand relentless vendor monitoring, real-time response, and authentic collaboration between organizations and their providers. Forget annual checklists—it's the age of continuous, collective defense.
Comments