Threatonomics

Why vendor discovery matters now (and how most organizations get it wrong)

by Emma McGowan , Senior Writer
Published

Without a clear inventory of your third-party vendors, your risk management program is failing before it even begins.

The average enterprise relies on hundreds—sometimes thousands—of third-party vendors to operate. Yet when security leaders are asked for a complete inventory of these vendors, the response is often a patchwork of spreadsheets, outdated procurement lists, and educated guesses. This vendor blindness isn’t just an operational inconvenience—it’s a critical business risk that’s becoming increasingly expensive to ignore.

“The path to identifying the risk that third party vendors bring to your organization’s table begins with establishing a comprehensive inventory of your vendors and the products or services they provide to your organization,” explains Chuck Norton, Senior Technical Security Advisor at cyber risk company Resilience. “A lot of organizations simply don’t have that.” 

This fundamental gap—the lack of a centralized, authoritative vendor inventory—is where most third-party risk management programs fail before they even begin.

Why vendor discovery matters more than ever

The business case for comprehensive vendor discovery has never been stronger. Three converging forces—regulatory pressure, operational complexity, and cyber risk evolution—are making vendor blindness an expensive and dangerous gamble.

The regulatory reality check

The regulatory landscape around vendor management has shifted dramatically. The EU’s Digital Operational Resilience Act (DORA), now in force for 2025, requires financial institutions to maintain a comprehensive register of ICT third-party arrangements. New York’s NYDFS 23 NYCRR 500 mandates specific third-party service provider policies with minimum controls and oversight. Even industry frameworks like NIST CSF 2.0 have elevated cybersecurity supply chain risk management (C-SCRM) as a core governance function.

But it’s not just about compliance. Norton notes an emerging trend that could reshape vendor management entirely, at least in one industry: “Proposed HIPAA Security Rule amendments include requirements for annual third-party vendor security validations and are currently under consideration through the Notice of Proposed Rulemaking process. If implemented, this would mandate annual security assessments for all vendors handling protected health information, regardless of contract renewal cycles.”

For organizations in the healthcare sector, this represents a seismic shift from contract-driven assessments to continuous vendor oversight—exactly the kind of program that requires robust discovery and inventory capabilities as a foundation.

The true cost of vendor blindness

The operational risks of incomplete vendor inventories extend far beyond regulatory compliance. Modern businesses operate in complex vendor ecosystems where failures can cascade through multiple layers of dependencies. Norton illustrates this with a common scenario: “If you have a cloud service and they’re hosted on Microsoft and Microsoft has an outage, that’s going to have a ripple effect.”

This “nth-party risk”—the risk from your vendor’s vendors—is something most organizations struggle to understand, let alone manage. When a major cloud provider experiences an outage, it doesn’t just affect their direct customers; it ripples through the entire ecosystem of companies that depend on services built on that infrastructure.

The insurance and incident response imperative

Cyber insurance underwriters increasingly require detailed vendor inventories as part of their risk assessment process. When incidents occur, insurers need to understand the full scope of potential exposure, which requires comprehensive visibility into all vendor relationships and data flows.

Similarly, effective incident response depends on knowing which vendors might be affected by or involved in a security event. Without a complete vendor inventory, response teams waste critical time trying to identify relevant third parties while the clock is ticking.

How most organizations get vendor discovery wrong

Even organizations that recognize the importance of vendor management often approach discovery in ways that guarantee incomplete results. Understanding these common patterns can help you avoid the same pitfalls.

Starting with questionnaires instead of data

Most vendor management programs begin by sending questionnaires to business units asking them to list their vendors. This approach is fundamentally flawed because it relies on incomplete human memory and creates immediate friction that encourages people to provide minimal responses.

“Most often, organizations will simply look at their accounts payable platforms, but there are a lot of different ways to look at it,” Norton says. “When attempting to tier vendors by importance, many organizations will only look at their annual spend with a particular vendor, which is great but it doesn’t really paint the whole picture.”

The most effective programs start with data mining—extracting vendor relationships from the digital exhaust your organization already produces through financial transactions, system logs, and access records.

Focusing only on spend

The most common vendor discovery mistake is equating financial importance with business risk. This approach misses some of the highest-risk vendor relationships while overemphasizing low-risk, high-spend relationships.

Traditional vendor discovery often stops at financial data, using spend as the primary factor for determining vendor importance. This misses critical low-spend, high-risk vendors and creates blind spots around services that might be free or have usage-based pricing models.

Shadow IT represents a particularly challenging example. Teams often adopt free or low-cost SaaS tools that never appear in procurement systems but can pose significant security risks if they handle sensitive data or integrate with core business systems.

Treating it as a one-time project

Perhaps the most dangerous misconception is viewing vendor discovery as a project with a completion date. This mindset virtually guarantees that your inventory will rapidly become obsolete and unreliable.

Many organizations approach vendor discovery as a compliance project—something to complete once for an audit or assessment. In reality, vendor relationships change constantly as teams adopt new tools, contracts expire and renew, and business needs evolve.

Without systematic, ongoing discovery processes, vendor inventories become obsolete within months of creation.

Building a foundation for effective vendor management

Now that we’ve established why vendor discovery matters and identified the common pitfalls that derail most programs, the natural question becomes: where do you actually start? The answer lies in leveraging data you already have rather than starting from scratch.

Most organizations sit on a goldmine of vendor relationship data scattered across their existing systems. Financial transactions, system access logs, network traffic, and contract repositories all contain evidence of vendor relationships—you just need to know where to look and how to extract meaningful insights.

The key is approaching discovery systematically, mining multiple data sources to build a comprehensive picture of your vendor ecosystem. This data-driven approach is not only more accurate than surveys and questionnaires—it’s also faster and reveals vendor relationships that business units might not even realize they’ve created.

What’s next

In our next post in our Third Party Risk Management series, we’ll dive deep into the seven data streams you can mine to build a comprehensive vendor inventory. We’ll show you exactly where to look in your existing systems to find vendor relationships you didn’t know existed, starting with the financial and identity data that’s already at your fingertips.

Coming up in Post 2: The seven data streams for vendor discovery

  • Stream 1: Following the money trail through financial systems
  • Stream 2: Identity and access goldmine
  • Stream 3: Network and DNS intelligence
  • And four more critical data sources you’re probably not using

About the Author
Emma McGowan , Senior Writer

Emma McGowan is the Senior Writer for industry-leading cyber risk company Resilience. She has been a full-time writer and editor for over 10 years, focused on technology and women’s health. Tech-fluent and highly motivated, Emma brings holistic experience leading brands in the delivery of high-quality, high-impact, multimedia digital content supported by strategy, planning, and performance analysis.

You might also like

The healthcare cybersecurity crisis that’s costing organizations millions in damages

The U.S. healthcare sector faces an unprecedented cybersecurity crisis. With 168 million healthcare records breached in 2023 and ransomware attacks surging 32% in 2024, the industry confronts threats that have evolved beyond data theft to sophisticated campaigns capable of paralyzing critical patient care infrastructure. Despite these trends, cybersecurity often receives insufficient leadership attention. A 2025 […]

Your cyber insurance policy could be a target

Organizations invest heavily in cyber insurance policies to shield their businesses from evolving threats, but many overlook a critical vulnerability: the security of the insurance policy documents themselves. While these policies are designed to protect you from cyber threats, they can become powerful weapons when they fall into the wrong hands. Over the past year, […]

A complete guide to domain spoofing

Domain spoofing is a cyberattack technique most commonly used in phishing and fraud, where criminals impersonate a legitimate organization’s domain name to deceive users. Think of it as digital identity theft at scale: Attackers make fraudulent emails or websites appear as if they originate from your trusted company domain, tricking victims into revealing sensitive data, […]

The 3 types of CISOs: How to succeed in any version – and what to do when you’re misaligned

As the CISO, are you and your organization in alignment? The CISO role has evolved dramatically over the past decade, but organizational cybersecurity programs have not always kept pace.  If you think about CISOs like software versions, version 1.0 is your first generation of CISOs, focused on structure and technical architecture. Version 2.0 moves beyond […]

The Security Squeeze

One of the most important features of the Resilience SaaS platform is our Quantified Cyber Action Plan. It supports CISOs making decisions under risk and uncertainty by providing a prioritization for which cyber controls should be implemented, based on their ROI. The power of this approach lies in the fact that it guides the most […]

How Scattered Spider’s vertical-focused strategy creates industry-wide security emergencies

This post is based on a threat intelligence report by Resilience Director of Threat Intelligence Andrew Bayers. Scattered Spider has emerged as a sophisticated threat actor whose advanced social engineering tactics blur the lines between common cybercrime and nation-state tradecraft. Their tendency to tackle specific verticals at a time – as they did in the […]