For years, third-party cybersecurity relationships between vendors and customers have relied on contracts and trust. That model is now showing its age. In the past year alone, 51% of UK organizations have reported a third party-related breach, while vendors have become ideal attack vectors for hostile actors.
Director of EMEA Services at NetSPI.
Trust based compliance to evidence-based security
What once worked for security vendors, trust-based compliance, has now become the bare minimum, as well as an outdated approach for modern cyber strategy and data protection.
Article continues below
Contracts and written assurances do little to protect organizations in practice, and too often, customers are left with limited insight into the real security posture of their vendors.
In the past few years, we have seen documentation, questionnaires and copious amounts of certifications which has come to overshadow demonstratable robustness. The emphasis has shifted towards ticking boxes, rather than proving strength.
Instead, we need to move from telling to showing; proof over promise.
An evidence-based model of security requires that vendors actively demonstrate that their security approach is measurably robust, measurable, and effective. Compliance does not equal resilience in today’s threat landscape, instead, only a consistent and proactive approach will do.
Structural blindness
Of course most vendors are not deliberately hiding vulnerabilities from customers. The issues are latency and visibility. Point in-time assessments quickly become outdated and lose relevance as systems shifts, technology advances and new code is deployed.
A vendor deemed secure at the point of certification or contractual signing can carry material risks just weeks later without a consistent approach to vulnerability management.
Developing comprehensive visibility of vulnerabilities across an organization is often challenging. Unfortunately, some vendors choose a path of willful ignorance and blind optimism. This approach saves money for the vendor, at the expense of increasing the risk you take on as a customer.
Even when new vulnerabilities are found, customers often have little to no visibility. An ad hoc approach to third-party security has created a form of structural blindness where risk exists but remains unseen.
To address this, vendors must move towards continuously signaling operational and cyber resilience, rather than relying on static assurances.
Assurance in practice: penetration testing
In practical terms, this means on thing: continuous penetration testing.
For vendors performing infrequent or ad hoc tests, security teams struggle to keep up with the rapidly evolving landscape, leaving vulnerabilities unidentified and customers exposed.
By simulating real attacker behavior, vendors not only demonstrate their commitment to a strong security framework to customers, but it also actively improves their vulnerability management and reduces the very risk of a data breach in the first place.
Customers are assured with evidence; vendor’s security teams can sleep easy that their weaknesses have been addressed.
For organizations managing dozens, or hundreds, of third-party relationships, this level of visibility is critical to understanding where real risk resides and improving customer relationships.
It is time for CISOs to speak up
Supply chains have become prime targets for hostile actors, where data breaches lead to a domino effect of disruption across suppliers, warehouses and manufacturers. For instance, the devastating Jaguar Land Rover attack in September 2025 contributed to reducing real growth across the wider economy of the UK to just 0.1%.
It is critical that vendors begin to demonstrate, through evidence, that they are secure. CISOs are uniquely positioned to raise the bar and lead the charge in demanding third-party security teams are proving their robust cyber management.
To be clear, this is about a greater alignment between vendor and customer, not about punishing the vendors whose security might not be as strong as was hoped. Providing proof over promise represents a fundamental shift in the cybersecurity approach of both CISOs, third-parties and customer organizations.
Where CISOs are leading the charge, companies across all sectors can build up their resilience.
Words to live by
Cybersecurity can no longer rely on outdated and insufficient promises rooted in trust and contractual obligations.
The cyber landscape is in a constant state of evolution and change, and trust alone is no longer a reliable indicator of a mature security framework. Static assurances and point-in-time validations fail to reflect the realities of modern infrastructure, where risk evolves far faster than documentation ever can.
By embracing continuous penetration testing and empowering CISOs to demand that vendors demonstrably prove their security posture, organizations can fundamentally change how third-party risk is managed.
This shift moves the cybersecurity and business landscape away from blind trust that silently compromises data safety, and toward confidence grounded in ongoing, measurable assurance.
Proof over promises is an essential tenet of cybersecurity in the modern world.
We’ve featured the best endpoint protection software.
This article was produced as part of TechRadarPro’s Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro
