The third-party reality
Your attack surface includes every vendor with access to your data or systems. Some of the largest breaches in recent years started not with the victim's own controls failing, but with a compromised supplier — a payroll provider, a support tool, a CI plugin.
Tier your vendors
Don't treat every SaaS subscription the same. Tier by data sensitivity and access:
- Tier 1: handles customer PII, has production access, or could halt your business.
- Tier 2: internal data, no production access.
- Tier 3: marketing tools, no sensitive data.
Spend your diligence budget on Tier 1. A 50-question security review for a Tier 3 logo-design tool is wasted effort.
What to actually collect
For Tier 1 vendors:
- Their SOC 2 or ISO 27001 report (read it — don't just file it).
- Their breach-notification SLA in the contract.
- The scope of data and access they actually need (enforce least privilege).
- A subprocessor list, so you understand the chain.
Ongoing, not one-time
A vendor secure at onboarding can degrade. Re-review Tier 1 vendors annually, watch for their breach disclosures, and revoke access the day a vendor relationship ends — orphaned vendor credentials are a classic backdoor.
You can outsource the work, but you can't outsource the risk.