In 1965, Ralph Nader's GroundBreaking Book Unsafe at any speed Expeded how car manufacturers are prioritised style, performance, and profit over the safety of drivers and passengers. His Narrave Spurred Public Outration and Catalysed Sweeping Changes, Including The Widespread Adoption of Seatbelts and Other Safety Innovations. As the former Cisa Director Jen Easterly Noted Earlier this yearToday we find orselves at a similar information point in the software development domain.
Prioritizsng Speed ​​and Product Features, Secure Software Development is often treated as an afternout. Cyber ​​Threats Are Becoming more Sophisticated, and if Organizations do not demand early introduction and better integration of security measures from measures from their software suppliers, A Consequences.
Third-Party Suppliers Your First-Party Risk
Organizations Today Increasingly Reli on Software as a Service (SAAS), Embedding it deep Although these solutions offer scalability and efficiency, they also Introduce Significant Risk. Yet, we now live in an era dominated by artificial intelligence (ai) where traditional security boundaries are being circumveded. Given the Vast Amount of Data Exchanged Between Systems and the Numerous Actors Involved in the Supply Chain, The Impact of a Cyber ​​Incident Related to Software Development Flaws is NOW GREWS NOW GORATER GORATER GOFREAT
The scale and complexity of data requiring protection has skyrocked, as ai now generates, aggregates, and shares Vast Amounts of Data Across Organizations and Third-Parties.
The 2024 Data Breach Investigations Report from Verizon Reveals that 15% of breaches involved a third-party or supplier, such as software supply chains, hosting partner infrastrursts, or data custodia. This number has been rising year -over-yaar, and it highlights the urgent need for organisations to reethk their approach to Third-Parthy Risk Management.
One of the biggest mistakes companies make in vendor assessments is focusing soly on vendor Security Compliance Compliance Rather Than Product Security. Many Organizations Send Out Lengthy Questionnaires to vendors about their information security system (ISMS)) But fail to scrutinize their application and product security. Certifications and Compliance Atstations, Such As ISO 27001, SOC 2, PCI DSS, and GDPR, Are often Viewed as Security Benchmarks, but they do not nextee guarantee Development practices.
Some vendors may hold these certifications; However, certain products of their portfolio may fall outside the scope of these security standards and frameworks. If overlied, this blind spot can lead to significant security risk. An organisation may assume a certified vendor has robust security measures in place, only to later discover that the specific product they are using lacks fundamental security controls.
Demand Better from Your Suppliers
To resist Supply Chain Attacks And mitigate associateed risks, Organisations must push their suppliers to prioritise secure software development. This means requires vendors to demonstrate not just just security compliance but also a clear Attention and Commitment to Secure Development Practices. Here are some key initiatives organisations should implement to build an effective third-party assessment program:
- Expand traditional vendor security assessments: Go beyond basic cybersecurity questions and challenge vendors on their application and product security measures. Tailor the program to the Specific Requirements and Dynamics of your Organization, and Consider Incorprosing Questions Related to Emerging Technologies Such ai.
- Ensure Secure Software Development Lifecycle (SDLC) Practices: Require vendors to provide evidence that security is incorporated at every phase of development, from design to deployment.
- Shift Third-Party Risk Management from Domain to Control: Third-party risk management is Ultimately about Managing Business Risks, Not just Security Risks. At Its Core, it is a data problem. Therefore, organisations should involve data owners and relevant stakeholders in the process and educate them about the associated risks in clear business terms.
- Demand transparency: Get visibility into the security controls applied to software products, raather than related soly on compliance certificate.
- Conduct Continuous Third-Parthy Risk Assessment: Continiously monitor third-party vendors, as security risks evolve over time.
- Adopt a zero-trust mindset: Assume that every third-party Connectionwal be a potential risk and enforce strket access controls, when possible.
The digital landscape of 2025 requires a fundamental shift in how we approach software security. Just as Seatbelts and Safety Standards Revolutionised The Automobile Industry, Robust Security Practices Must Become the Norm in Software Development.
Organisations must recognise that third-party risk is their own risk. It is no longer sufficient to relay on vendor assurations or compliance checkboxes. Intead, Businesses must take a proactive stance by demanding transparency, enforcing Rigorous Security Standards, and ENSURING that Secure Development is a priority from the groups. If we fail to push suppliers to develop securely, the consortequences will be far-ready, impacting not just just individual companies but the entrere digital ecosystem.
Ejona Preçi is an Isaca Member and Volunteer, and a longstanding cyber leader. She works as global ciso at lindal group, a Hamburg-Based Manufacturer of Packaging Products, and Is also also present of women in cyberesecuraity (WICIS) germany. Ejona is committee and if necessary in security, and hopes to shape a future where artificial intelligence (AI) and Cyber ​​Security Solutions Prioritise Fairnass, Accountability, and Sociality Wellbeing, Bridging The Gap Between Innovation and Ethics. This is her first contribution to the computer weekly security think tank.