Threatonomics

Why vendor discovery matters now (and how most organizations get it wrong)

by Emma McGowan , Senior Writer
Published

Without a clear inventory of your third-party vendors, your risk management program is failing before it even begins.

The average enterprise relies on hundreds—sometimes thousands—of third-party vendors to operate. Yet when security leaders are asked for a complete inventory of these vendors, the response is often a patchwork of spreadsheets, outdated procurement lists, and educated guesses. This vendor blindness isn’t just an operational inconvenience—it’s a critical business risk that’s becoming increasingly expensive to ignore.

“The path to identifying the risk that third party vendors bring to your organization’s table begins with establishing a comprehensive inventory of your vendors and the products or services they provide to your organization,” explains Chuck Norton, Senior Technical Security Advisor at cyber risk company Resilience. “A lot of organizations simply don’t have that.” 

This fundamental gap—the lack of a centralized, authoritative vendor inventory—is where most third-party risk management programs fail before they even begin.

Why vendor discovery matters more than ever

The business case for comprehensive vendor discovery has never been stronger. Three converging forces—regulatory pressure, operational complexity, and cyber risk evolution—are making vendor blindness an expensive and dangerous gamble.

The regulatory reality check

The regulatory landscape around vendor management has shifted dramatically. The EU’s Digital Operational Resilience Act (DORA), now in force for 2025, requires financial institutions to maintain a comprehensive register of ICT third-party arrangements. New York’s NYDFS 23 NYCRR 500 mandates specific third-party service provider policies with minimum controls and oversight. Even industry frameworks like NIST CSF 2.0 have elevated cybersecurity supply chain risk management (C-SCRM) as a core governance function.

But it’s not just about compliance. Norton notes an emerging trend that could reshape vendor management entirely, at least in one industry: “Proposed HIPAA Security Rule amendments include requirements for annual third-party vendor security validations and are currently under consideration through the Notice of Proposed Rulemaking process. If implemented, this would mandate annual security assessments for all vendors handling protected health information, regardless of contract renewal cycles.”

For organizations in the healthcare sector, this represents a seismic shift from contract-driven assessments to continuous vendor oversight—exactly the kind of program that requires robust discovery and inventory capabilities as a foundation.

The true cost of vendor blindness

The operational risks of incomplete vendor inventories extend far beyond regulatory compliance. Modern businesses operate in complex vendor ecosystems where failures can cascade through multiple layers of dependencies. Norton illustrates this with a common scenario: “If you have a cloud service and they’re hosted on Microsoft and Microsoft has an outage, that’s going to have a ripple effect.”

This “nth-party risk”—the risk from your vendor’s vendors—is something most organizations struggle to understand, let alone manage. When a major cloud provider experiences an outage, it doesn’t just affect their direct customers; it ripples through the entire ecosystem of companies that depend on services built on that infrastructure.

The insurance and incident response imperative

Cyber insurance underwriters increasingly require detailed vendor inventories as part of their risk assessment process. When incidents occur, insurers need to understand the full scope of potential exposure, which requires comprehensive visibility into all vendor relationships and data flows.

Similarly, effective incident response depends on knowing which vendors might be affected by or involved in a security event. Without a complete vendor inventory, response teams waste critical time trying to identify relevant third parties while the clock is ticking.

How most organizations get vendor discovery wrong

Even organizations that recognize the importance of vendor management often approach discovery in ways that guarantee incomplete results. Understanding these common patterns can help you avoid the same pitfalls.

Starting with questionnaires instead of data

Most vendor management programs begin by sending questionnaires to business units asking them to list their vendors. This approach is fundamentally flawed because it relies on incomplete human memory and creates immediate friction that encourages people to provide minimal responses.

“Most often, organizations will simply look at their accounts payable platforms, but there are a lot of different ways to look at it,” Norton says. “When attempting to tier vendors by importance, many organizations will only look at their annual spend with a particular vendor, which is great but it doesn’t really paint the whole picture.”

The most effective programs start with data mining—extracting vendor relationships from the digital exhaust your organization already produces through financial transactions, system logs, and access records.

Focusing only on spend

The most common vendor discovery mistake is equating financial importance with business risk. This approach misses some of the highest-risk vendor relationships while overemphasizing low-risk, high-spend relationships.

Traditional vendor discovery often stops at financial data, using spend as the primary factor for determining vendor importance. This misses critical low-spend, high-risk vendors and creates blind spots around services that might be free or have usage-based pricing models.

Shadow IT represents a particularly challenging example. Teams often adopt free or low-cost SaaS tools that never appear in procurement systems but can pose significant security risks if they handle sensitive data or integrate with core business systems.

Treating it as a one-time project

Perhaps the most dangerous misconception is viewing vendor discovery as a project with a completion date. This mindset virtually guarantees that your inventory will rapidly become obsolete and unreliable.

Many organizations approach vendor discovery as a compliance project—something to complete once for an audit or assessment. In reality, vendor relationships change constantly as teams adopt new tools, contracts expire and renew, and business needs evolve.

Without systematic, ongoing discovery processes, vendor inventories become obsolete within months of creation.

Building a foundation for effective vendor management

Now that we’ve established why vendor discovery matters and identified the common pitfalls that derail most programs, the natural question becomes: where do you actually start? The answer lies in leveraging data you already have rather than starting from scratch.

Most organizations sit on a goldmine of vendor relationship data scattered across their existing systems. Financial transactions, system access logs, network traffic, and contract repositories all contain evidence of vendor relationships—you just need to know where to look and how to extract meaningful insights.

The key is approaching discovery systematically, mining multiple data sources to build a comprehensive picture of your vendor ecosystem. This data-driven approach is not only more accurate than surveys and questionnaires—it’s also faster and reveals vendor relationships that business units might not even realize they’ve created.

What’s next

In our next post in our Third Party Risk Management series, we’ll dive deep into the seven data streams you can mine to build a comprehensive vendor inventory. We’ll show you exactly where to look in your existing systems to find vendor relationships you didn’t know existed, starting with the financial and identity data that’s already at your fingertips.

Coming up in Post 2: The seven data streams for vendor discovery

  • Stream 1: Following the money trail through financial systems
  • Stream 2: Identity and access goldmine
  • Stream 3: Network and DNS intelligence
  • And four more critical data sources you’re probably not using

About the Author
Emma McGowan , Senior Writer

Emma McGowan is the Senior Writer for industry-leading cyber risk company Resilience. She has been a full-time writer and editor for over 10 years, focused on technology and women’s health. Tech-fluent and highly motivated, Emma brings holistic experience leading brands in the delivery of high-quality, high-impact, multimedia digital content supported by strategy, planning, and performance analysis.

You might also like

How to prepare your organization for a post-quantum world

Quantum computing is on the horizon, and with it comes a seismic shift in how organizations must think about cybersecurity risk. The ability of future quantum machines to break today’s cryptographic protections, what we call quantum decryption, could undermine the trust, confidentiality, and resilience of digital business. This briefing series distills a highly technical topic […]

When will quantum decryption become practical?

As part of Cybersecurity Awareness Month, we’re publishing this three-part series that distills a highly technical topic into strategic insights for leaders. Part 1 explained why quantum decryption poses a threat to current encryption systems. Part 2 lays out credible timelines for when the disruption may arrive. Part 3 will offer practical guidance on how […]

What business leaders need to know about post-quantum cyber risk

Quantum computing is on the horizon and with it comes a seismic shift in how organizations must think about cybersecurity risk. The ability of future quantum machines to break today’s cryptographic protections–what we call quantum decryption–could undermine the trust, confidentiality, and resilience of digital business.                                                                                          As part of Cybersecurity Awareness Month, throughout October we are […]

The false promise of paying criminals to delete your data

On October 6, 2025, hackers demanded ransom from Salesforce for nearly one billion stolen customer records. The company’s response was unequivocal: no payment, no negotiation. While the refusal made headlines, the more important question is why Salesforce—and increasingly, other mature organizations—are walking away from the table when criminals offer to “suppress” stolen data. The answer […]

A CISO’s guide to winning the annual budgeting battle

It’s that time of year again. Finance has sent the email with the budget template attached. Your CFO wants preliminary numbers by next week. And you’re staring at a spreadsheet wondering how to justify the security investments your organization desperately needs when last quarter’s board meeting included the phrase “do more with less.” Welcome to […]

How brokers and CISOs can lead the charge for Cybersecurity Awareness Month 2025

October is Cybersecurity Awareness Month, and this year’s theme—”Building a Cyber Strong America“—has never been more relevant. For over two decades, this initiative led by CISA and the National Cybersecurity Alliance has spotlighted the importance of taking daily action to reduce online risks. In 2025, the focus shifts to the government entities and small-to-medium businesses […]