Securing the Supply Chain — Even When the Suppliers Don’t Want To

As security practitioners, we often find ourselves in situations where our role requires engaging with third-party vendors. Most of these interactions are smooth and frictionless; until they aren’t. Suddenly, we’re seen as the enemy. We ask uncomfortable questions. We request change. We dig, and we find.

From the client’s perspective, they’ve entrusted us to help them, to guide them, and they assume we’re fully in control. But the reality is quite different. Our ability to deliver often hinges on external parties, vendors who can create frustrating bottlenecks simply by being unresponsive or unwilling to cooperate.

One of the core issues here is accountability. A common excuse we hear is: “That system? Oh, it’s a legacy one we inherited. We weren’t aware.” Combine this with delayed responses, dismissive comments like “this wasn’t a problem before,” or outright avoidance, and your progress quickly stalls. What should be a collaborative effort to improve security turns into a game of dodging responsibility.

This is more than just an operational frustration, it’s a real risk. Uncooperative third-party vendors increase the organisation’s attack surface, prolong security weaknesses, and obstruct efforts to reduce exposure. Worse, they leave us with limited visibility into the processes or systems we’re trying to secure. The illusion of shared responsibility only works when accountability is also shared.

So, how do we manage this?

One effective approach is the use of cooperative or back-to-back SLAs. These agreements align the vendor’s obligations with the customer’s security policies and expectations. When bound to clear policies, procedures, and ownership structures, it becomes easier to hold all parties accountable and to ensure they know what’s expected from the start.

Another essential practice: document everything. Maintaining a strong, active risk register is not just good hygiene, it’s a necessity. Vendor friction should be treated as a risk in itself, because it directly impacts governance, decision-making, and incident response. If a vendor won’t cooperate, that’s not just annoying, it’s something the board should be made aware of.

Transparency is critical here. Our clients need to know when a vendor is introducing unmanaged risk into the environment. This isn’t about throwing anyone under the bus, it’s about clearly identifying areas where risk can’t be mitigated because cooperation is missing.

We also need to acknowledge the hard truth: we can’t secure what we can’t influence. That doesn’t mean we’ve failed. Sometimes, success is simply making the risk visible. Highlighting these blind spots is valuable, it helps leaders make informed decisions and often leads to better vendor oversight or, when necessary, replacement.

This is the subtle but essential art of the vCISO / Security Practitioner role, not just identifying technical risks, but also navigating the political and human ones. The job doesn’t stop at firewalls and phishing simulations; it extends into contracts, relationships, and influence.

So the next time you're facing vendor resistance, know that you're not alone. This is a systemic issue in modern cybersecurity. But with the right blend of documentation, policy alignment, and honest reporting, we can still drive progress, even when the suppliers don’t want to.