

























Prajkta Waditwar, senior technology sourcing Manager at Box, focused on AI strategy, vendor ecosystems and procurement innovation.

getty
Cybersecurity spending is approaching $240 billion globally, according to Gartner, yet breach costs are nearing $5 million per incident based on IBM’s latest data. If investment is rising and tooling is improving, the obvious question is: Why aren’t outcomes?
From where I sit, working across technology sourcing and vendor strategy, the issue isn’t effort. It’s that most organizations are still securing a perimeter that no longer exists.
The enterprise boundary has dissolved. What remains is a constantly shifting network of vendors—cloud providers, SaaS platforms, data processors and AI systems embedded directly into how work gets done. IBM reports that supply chain attacks have surged significantly in recent years, reflecting how deeply vendor dependencies now shape enterprise risk.
And yet most security strategies still start inside the organization.
Cybersecurity typically shows up after the fact—after a system is deployed, after a vendor is onboarded, after data is already flowing.
But risk doesn’t start there. It starts much earlier, in decisions that don’t get labeled as security decisions at all. It’s in the moment a team selects a vendor to move faster. It’s in how much access that the vendor is given. It’s in how deeply that tool gets integrated into critical workflows.
I’ve seen this pattern play out repeatedly across organizations—what starts as a controlled vendor decision quietly turns into a critical dependency. A vendor is introduced for a narrow use case—limited scope, controlled access. Over time, it expands. It connects to additional systems, handles more sensitive data and becomes embedded in operations. No single step feels risky. But the accumulation is. By the time anyone pauses to reassess, the organization is no longer choosing that vendor—it’s depending on it.
There’s still a tendency to think of third-party risk as something that can be contained at the boundary. That boundary doesn’t really exist anymore.
Vendors don’t stay external. They become operational. They sit inside workflows, handle core data and often have privileges that mirror internal systems. SecurityScorecard has found that nearly all organizations are connected to third parties that have already experienced a breach. That’s not an outlier—it’s the baseline.
What’s changed is not just the number of vendors but the depth of integration. When something breaks, it doesn’t show up as a vendor issue. It shows up as a business problem (downtime, data exposure, customer impact, etc.). And at that point, the organization has very little leverage to quickly reduce that dependency.
That’s where most teams realize the problem too late.
In practice, I’ve rarely seen these dependencies unwind easily once they reach that level of integration.
One of the most underutilized control points in cybersecurity today is procurement. It’s still treated as a transactional function that's focused on cost and contracts. In reality, it has one of the clearest views into how external dependencies are introduced and expanded across the business.
Procurement sees patterns early—how vendors are being adopted across teams, how contracts are structured and how access evolves over time. When it’s involved early, the conversation changes. It’s no longer just “Does this tool meet requirements?” It becomes “What happens if this becomes critical?” and “How easily can we exit this relationship?”
Those questions tend to surface later, when the answers are far more constrained.
There’s also a structural issue that doesn’t get enough attention: enforceability. Many organizations still report gaps in third-party risk management tied to weak or unclear contractual controls, as highlighted in Deloitte’s research. I’ve seen situations where risks were well understood internally, but the organization lacked the contractual leverage to act decisively.
At that point, awareness isn’t the problem. Control is.
It’s easy to blame speed, especially with how quickly AI tools are being adopted across organizations. But speed isn’t what’s breaking most environments. Lack of structure is.
In organizations with clear guardrails—standard vendor requirements, defined access models and consistent evaluation paths—teams move faster because they don’t have to renegotiate risk every time. Where things break down is when adoption is fast and unstructured. Tools get introduced outside formal processes. Data flows aren’t fully understood. Integrations stack on top of each other.
Most modern exposures stem from misconfigurations and unmanaged assets, many of which are introduced through third-party integrations, according to Palo Alto Networks. AI is accelerating this pattern by making it easier to adopt tools that process and move sensitive data without full visibility up front.
By the time these dependencies are discovered, they’re already embedded. At that point, you’re not governing risk—you’re working around it.
In my experience, this is where most organizations lose visibility—when adoption outpaces structure.
The organizations that are getting ahead of this aren’t necessarily the ones with the most tools or the largest budgets. They’re the ones that have shifted where cybersecurity begins.
They’ve moved the cybersecurity upstream—closer to the decisions that introduce risk in the first place. They’ve aligned vendor adoption with governance, instead of treating them as separate tracks that meet too late.
In my experience, getting closer to those decisions starts with shifting from a reactive review role to an embedded one. Cybersecurity leaders should be involved earlier in vendor selection, architecture discussions and even budget approvals—not just final sign-offs. That means partnering closely with procurement and business teams, setting clear baseline requirements up front and making security part of how decisions are made, not something applied after. The goal isn’t to slow things down but to shape choices while they’re still flexible—when risk can actually be designed out, not just managed later.
Because cybersecurity doesn’t begin with a threat. It begins with a decision. And if your security strategy starts after a vendor is already embedded in your operations, you’re not managing risk—you’re inheriting it.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。