Threatonomics

Why vendor discovery matters now (and how most organizations get it wrong)

by Emma McGowan , Senior Writer
Published

Without a clear inventory of your third-party vendors, your risk management program is failing before it even begins.

The average enterprise relies on hundreds—sometimes thousands—of third-party vendors to operate. Yet when security leaders are asked for a complete inventory of these vendors, the response is often a patchwork of spreadsheets, outdated procurement lists, and educated guesses. This vendor blindness isn’t just an operational inconvenience—it’s a critical business risk that’s becoming increasingly expensive to ignore.

“The path to identifying the risk that third party vendors bring to your organization’s table begins with establishing a comprehensive inventory of your vendors and the products or services they provide to your organization,” explains Chuck Norton, Senior Technical Security Advisor at cyber risk company Resilience. “A lot of organizations simply don’t have that.” 

This fundamental gap—the lack of a centralized, authoritative vendor inventory—is where most third-party risk management programs fail before they even begin.

Why vendor discovery matters more than ever

The business case for comprehensive vendor discovery has never been stronger. Three converging forces—regulatory pressure, operational complexity, and cyber risk evolution—are making vendor blindness an expensive and dangerous gamble.

The regulatory reality check

The regulatory landscape around vendor management has shifted dramatically. The EU’s Digital Operational Resilience Act (DORA), now in force for 2025, requires financial institutions to maintain a comprehensive register of ICT third-party arrangements. New York’s NYDFS 23 NYCRR 500 mandates specific third-party service provider policies with minimum controls and oversight. Even industry frameworks like NIST CSF 2.0 have elevated cybersecurity supply chain risk management (C-SCRM) as a core governance function.

But it’s not just about compliance. Norton notes an emerging trend that could reshape vendor management entirely, at least in one industry: “Proposed HIPAA Security Rule amendments include requirements for annual third-party vendor security validations and are currently under consideration through the Notice of Proposed Rulemaking process. If implemented, this would mandate annual security assessments for all vendors handling protected health information, regardless of contract renewal cycles.”

For organizations in the healthcare sector, this represents a seismic shift from contract-driven assessments to continuous vendor oversight—exactly the kind of program that requires robust discovery and inventory capabilities as a foundation.

The true cost of vendor blindness

The operational risks of incomplete vendor inventories extend far beyond regulatory compliance. Modern businesses operate in complex vendor ecosystems where failures can cascade through multiple layers of dependencies. Norton illustrates this with a common scenario: “If you have a cloud service and they’re hosted on Microsoft and Microsoft has an outage, that’s going to have a ripple effect.”

This “nth-party risk”—the risk from your vendor’s vendors—is something most organizations struggle to understand, let alone manage. When a major cloud provider experiences an outage, it doesn’t just affect their direct customers; it ripples through the entire ecosystem of companies that depend on services built on that infrastructure.

The insurance and incident response imperative

Cyber insurance underwriters increasingly require detailed vendor inventories as part of their risk assessment process. When incidents occur, insurers need to understand the full scope of potential exposure, which requires comprehensive visibility into all vendor relationships and data flows.

Similarly, effective incident response depends on knowing which vendors might be affected by or involved in a security event. Without a complete vendor inventory, response teams waste critical time trying to identify relevant third parties while the clock is ticking.

How most organizations get vendor discovery wrong

Even organizations that recognize the importance of vendor management often approach discovery in ways that guarantee incomplete results. Understanding these common patterns can help you avoid the same pitfalls.

Starting with questionnaires instead of data

Most vendor management programs begin by sending questionnaires to business units asking them to list their vendors. This approach is fundamentally flawed because it relies on incomplete human memory and creates immediate friction that encourages people to provide minimal responses.

“Most often, organizations will simply look at their accounts payable platforms, but there are a lot of different ways to look at it,” Norton says. “When attempting to tier vendors by importance, many organizations will only look at their annual spend with a particular vendor, which is great but it doesn’t really paint the whole picture.”

The most effective programs start with data mining—extracting vendor relationships from the digital exhaust your organization already produces through financial transactions, system logs, and access records.

Focusing only on spend

The most common vendor discovery mistake is equating financial importance with business risk. This approach misses some of the highest-risk vendor relationships while overemphasizing low-risk, high-spend relationships.

Traditional vendor discovery often stops at financial data, using spend as the primary factor for determining vendor importance. This misses critical low-spend, high-risk vendors and creates blind spots around services that might be free or have usage-based pricing models.

Shadow IT represents a particularly challenging example. Teams often adopt free or low-cost SaaS tools that never appear in procurement systems but can pose significant security risks if they handle sensitive data or integrate with core business systems.

Treating it as a one-time project

Perhaps the most dangerous misconception is viewing vendor discovery as a project with a completion date. This mindset virtually guarantees that your inventory will rapidly become obsolete and unreliable.

Many organizations approach vendor discovery as a compliance project—something to complete once for an audit or assessment. In reality, vendor relationships change constantly as teams adopt new tools, contracts expire and renew, and business needs evolve.

Without systematic, ongoing discovery processes, vendor inventories become obsolete within months of creation.

Building a foundation for effective vendor management

Now that we’ve established why vendor discovery matters and identified the common pitfalls that derail most programs, the natural question becomes: where do you actually start? The answer lies in leveraging data you already have rather than starting from scratch.

Most organizations sit on a goldmine of vendor relationship data scattered across their existing systems. Financial transactions, system access logs, network traffic, and contract repositories all contain evidence of vendor relationships—you just need to know where to look and how to extract meaningful insights.

The key is approaching discovery systematically, mining multiple data sources to build a comprehensive picture of your vendor ecosystem. This data-driven approach is not only more accurate than surveys and questionnaires—it’s also faster and reveals vendor relationships that business units might not even realize they’ve created.

What’s next

In our next post in our Third Party Risk Management series, we’ll dive deep into the seven data streams you can mine to build a comprehensive vendor inventory. We’ll show you exactly where to look in your existing systems to find vendor relationships you didn’t know existed, starting with the financial and identity data that’s already at your fingertips.

Coming up in Post 2: The seven data streams for vendor discovery

  • Stream 1: Following the money trail through financial systems
  • Stream 2: Identity and access goldmine
  • Stream 3: Network and DNS intelligence
  • And four more critical data sources you’re probably not using

About the Author
Emma McGowan , Senior Writer

Emma McGowan is the Senior Writer for industry-leading cyber risk company Resilience. She has been a full-time writer and editor for over 10 years, focused on technology and women’s health. Tech-fluent and highly motivated, Emma brings holistic experience leading brands in the delivery of high-quality, high-impact, multimedia digital content supported by strategy, planning, and performance analysis.

You might also like

Killing legacy systems might be your smartest financial move 

Every CISO has that one system. Maybe it’s running on Windows Server 2008. Maybe it’s the manufacturing control system that predates your current CEO. Maybe it’s the ancient database that three different business-critical applications depend on, maintained by one person who’s been threatening to retire for five years. You know these systems are problems. Your […]

What your CFO actually cares about (and how to speak their language)

You walk into your CFO’s office with a carefully prepared business case for a critical security investment. The risk assessment is complete, the vulnerabilities are documented, and you’re ready to make your argument. But the moment you mention “attack surface” or “zero-day vulnerabilities,” you can see their attention drift. The issue isn’t that your CFO […]

Risk Briefing: Cyber extortion has fundamentally changed

On January 14, 2026, Resilience launched its inaugural Risk Briefing Series with a clear message for CISOs: the cyber extortion playbook has been rewritten, and organizations relying on traditional defenses are dangerously exposed. In the first session of this monthly intelligence series, Jud Dressler, Director of Resilience’s Risk Operations Center and retired U.S. Air Force […]

The 65% shift that proves ransomware as we know it is dead

The cybersecurity industry has a terminology problem. We’re still calling it “ransomware” when the majority of attacks no longer encrypt and request a ransom for decryption as their primary weapon. Resilience’s analysis of cyber extortion claims in our portfolio throughout 2025 reveals a dramatic acceleration in attack methods. Data theft extortion-only events rose from 49% […]

Why your enterprise risk framework needs threat intelligence

Here’s a question that should make any enterprise risk management (ERM) professional uncomfortable: How can you manage a risk you don’t even know exists? In my role leading threat intelligence at Resilience, I work at the intersection of cybersecurity and business risk. And I’ve noticed a persistent gap: many ERM professionals know cyber risk belongs […]

Your 90-day roadmap to sustainable vendor risk management

We’ve covered why vendor discovery matters, how to mine data streams for comprehensive vendor identification, which vendor categories are commonly overlooked, and how to implement risk-based tiering. Now comes the critical question: how do you actually implement this in your organization and make it sustainable over time? Chuck Norton from Resilience emphasizes the resource reality: […]