What Happens When Your Vendor’s Vendor Has a Problem?
If you’ve ever learned about a breach from the news at the same moment your CEO asks if you’re impacted, you know the feeling: the clock starts, the questions come fast, and the hardest part is often the simplest—do we even use them?
That “first-hour scramble” was the throughline of our recent webinar, “What happens when your vendor’s vendor has a problem?” led by Corentin (CEO, VISO TRUST) with insights from Paul Valente (Co-founder & Chief Customer Officer, former CISO) and Matt Sharp (CISO at Xactly; author of The CISO Evolution).
The message was clear: third-, fourth-, and nth-party risk isn’t just hard…it’s changing the standard of care. And the only way to keep up is to move from a point-in-time, questionnaire-driven process to an evidence-based, automated, continuously monitored program that supports the business instead of slowing it down.
The breach problem isn’t “security.” It’s visibility.
Paul shared a moment many security leaders recognize: stepping into an elevator with the CEO and being asked about a breach…before even hearing about it.
What made that story stick wasn’t fear of the breach—it was fear of being uninformed. Security leaders aren’t judged only on prevention. They’re judged on whether they can quickly say:
- Are we impacted?
- Which vendors touch the affected system/data?
- Do our vendors rely on that vendor (fourth parties)?
- What’s our exposure right now, not last quarter?
Matt put it bluntly: in the first hour, most teams can only say, “We’re looking into it.” Not because they’re unprepared—because vendor usage is fragmented across procurement, finance, business units, engineering tools, and the “freemium and credit card” universe.
That’s why the webinar returned repeatedly to a foundational truth:
You can’t respond quickly to what you can’t inventory.
The long tail is where surprises live
Even organizations with mature programs can struggle with what Matt called the “variants” of real-world incidents:
- A vulnerability (e.g., an open-source library issue) that shows up across systems/li>
- An M&A-driven change (your vendor acquires another tool, and suddenly the ecosystem shifts)
- A direct vendor breach vs. a vendor-of-a-vendor breach
- Shadow IT and “small spend” tools that never went through a formal review
These aren’t edge cases anymore. They’re normal operating conditions.
The consequence: a traditional TPRM program optimized for “check the box” assessments won’t hold up when the breach is two layers away.
Three takeaways that keep showing up in high-performing programs
1) Shift left: procurement and renewal are your leverage points
Matt anchored on a Pareto principle: focus on a small number of actions produce outsized results. In TPRM, that’s before the ink is dry.
At procurement and renewal, you can:
- Influence vendor selection
- Require contractual commitments
- Set security and notification expectations
- Validate controls before the relationship scales
- Address insurance terms and risk transfer
After signature? Leverage drops fast.
2) Make the process fast or the business will route around it
Paul emphasized that many teams are fighting an uphill perception problem: “everyone hates TPRM” because it slows things down.
If you want complete coverage, the process must be:
- Low-friction
- Automated where possible
- Tailored by business context
- Based on evidence, not generic questionnaires
When the workflow is painful, teams will bypass it, especially in high-growth environments or when new executives bring in their “stack” quickly.
3) Automation isn’t a nice-to-have, it’s how you earn the right to do real risk reduction
Both Paul and Matt highlighted a reality: you can’t spend expert time chasing questionnaires if you want to actually reduce risk.
The high-value work is:
- Remediation planning
- Security architecture decisions
- Contingency plans
- Incident response readiness
- Aligning security posture to business goals
Automation creates the bandwidth for those activities and helps move TPRM from “point-in-time” to continuous monitoring.
The 4th-party era: systemic risk is the new baseline
The webinar title asked: What happens when your vendor’s vendor has a problem?
Matt reframed it as systemic concentration risk:
- How many of your critical vendors rely on the same identity provider?
- Where are your “single points of failure” across the ecosystem?
- Which providers sit beneath the surface of your stack—even if you don’t contract with them?
His point: you can’t message every vendor about every incident. You need a way to identify where incidents are most likely to matter and where the blast radius will be largest.
Paul added an important perspective on the evolving “standard of care.” Not long ago, it was acceptable to focus only on the top 20 -100 vendors. But with modern AI capabilities and publicly available evidence, expectations are shifting:
If the information is reasonably accessible, organizations will increasingly be expected to know it.
Not perfectly. But much closer than before.
Third-party risk is becoming a competitive advantage
Corentin kept coming back to a business-first thesis: this isn’t about being the department of “no.” It’s about being the department of “in the know” and enabling the business to move faster with fewer surprises.
The organizations modernizing fastest are doing three things:
- Tying TPRM to business outcomes (revenue, speed-to-market, enterprise readiness)
- Replacing generic questionnaires with evidence-based assessment (SOC 2, pen tests, policies, artifacts)
- Moving from onboarding delays measured in weeks to decisions measured in hours (and monitoring that persists after onboarding)
That shift doesn’t just reduce risk. It changes how the business sees security: from a speed bump to a differentiator, especially when selling into regulated markets.
—
Breaches won’t get simpler. Supply chains won’t get smaller. And AI is accelerating vendor adoption across every function.
So the question isn’t whether your vendor’s vendor will have a problem.
It’s whether you’ll be able to answer, quickly and confidently:
“Here’s our exposure, here’s our plan, and here’s what the business needs to know next.”
