Increased reliance on IT service providers, digital tools, and third-party software is greatly expanding the enterprise attack surface, with noteworthy cyberattacks over the past year underscoring this fact.
In October 2025, Marks & Spencer terminated its longtime helpdesk deal with outsourcing giant Tata Consultancy Services following a cyberattack that cost the British retailer an estimated £300 million and temporarily shut down its online business.
In August, a Chinese threat group leveraged compromised OAuth tokens from third-party platform Salesloft Drift to exfiltrate sensitive business data — AWS keys, Snowflake tokens, passwords — from as many as 700 organizations. This came on the heels of a wave of attacks in which cybercriminal gang ShinyHunters pretended to be IT support personnel to trick users into connecting to malicious versions of Salesforce’s Data Loader, which was then used to exfiltrate data from Salesforce environments. All told, 1.5 billion Salesforce records were claimed to have been stolen.
And, back in April, a critical zero-day vulnerability in SAP NetWeaver, one of the most widespread incidents involving an ERP platform, illustrated that enterprise software has become a prime target for attackers because their compromise directly impacts the revenue, operations, and reputation of an organization.
“Adversaries continue to exploit the path of least resistance, increasingly targeting third-party providers and human vulnerabilities to bypass technical controls,” says Casey Corcoran, field CISO at Stratascale, the cybersecurity division of SHI International. “By compromising trusted vendors, attackers can move undetected for longer periods, exploiting established access points across multiple organizations.”
Because these are newer avenues for attack, companies have been caught on their heels. “We don’t have enough preparation or defensive tools to rapidly detect and defend against these attacks, leading to a significant level of risk for lots of companies,” says Joshua Wright, faculty fellow of the SANS Institute and technical director at Cyber Hack Challenges.
John Alford, CSO at TeraType, an adviser to pharmaceutical, financial, and SaaS firms on cybersecurity, compliance, audit and AI governance, says legacy mindsets are also to blame.
“Many organizations still defend their environments as if threats march up to the front gate when in reality the most effective attackers slip in through the service corridors that nobody monitors,” Alford says. “The Marks & Spencer situation proved this: A help desk workflow became a quiet passage into production because it relied on trust by default.” There appeared to be no strong caller verification processes, no step-up checks, and no guardrails on what support staff could change, he adds.
The Salesforce ecosystem breaches demonstrate another common blind spot: Once attackers capture a token or exploit a permissive integration, they gain the full authority of a trusted insider. “Companies that rely on perimeter controls and MFA alone never see this risk because they are not watching the right places,” Alford says.
The CSO’s role in vetting IT vendors
Cyber obligations are already written into IT services and SaaS contracts, but “there are limits to what companies can do,” says Stephen Lilley, partner at law firm Mayer Brown. “Companies are unlikely to be able to impose cyber requirements that go beyond what is commonly seen in the relevant market. And even sophisticated companies still experience cyber incidents — meaning that IT providers, like their customers, are unable to entirely eliminate the risk from these attacks.”
Although risk eradication is not possible, better mitigation is. Here, CSOs can play a crucial role.
“CSOs are uniquely able to see across the full business process — data flows, dependencies, and downstream impact — but many organizations still don’t use that perspective to reassess third-party risk as reliance grows,” says Randy Gross, CISO for CompTIA. “Cross-functional collaboration is a core CSO imperative: partnering early with procurement, legal, IT, and business leaders so security, resilience, and exit risk are designed in, not bolted on.”
When engagements are initiated at the business-unit level or come in below financial approval thresholds, CSOs may not even be aware of them.
“In many organizations, security leaders are brought in only after a contract is executed or — worse — after a security issue arises,” says Melissa Ventrone, leader of law firm Clark Hill’s cybersecurity, data protection, and privacy practice. “They should be involved … [and] their involvement does not need to slow the contracting process.”
In fact, CSOs can act as a “pragmatic technology advisor” says CompTIA’s Gross, seeking critical information they are uniquely qualified to assess.
Vital vendor questions CISOs should ask
To gain that critical information, security leaders and experts recommend CSOs ask IT partners the following cyber-specific questions.
1. What attestation will you provide to prove proper security controls are in place?
These are essential, says Juan Pablo Perez-Etchegoyen, CTO for cybersecurity and compliance platform Onapsis. Some of the most commonly used include:
- SOC 2 Type II Report: considered the gold standard audit for IT and cloud service providers
- ISO/IEC 27001 certification: an international standard for information security
- Cloud Security Alliance STAR: a registry specific to cloud providers that combines ISO 27001 with a controls matrix for cloud-related risks
- Industry-specific attestations: for example, HIPAA/HITRUST for handling healthcare data, or PCI DSS for storing or processing credit card data.
2. How do you maintain and update cybersecurity controls over time, and how will we be notified of material changes?
Would-be clients should have IT partners complete a detailed due diligence questionnaire and contractually obligate them to notify the company of any material changes that would require updates to their responses, advises Clark Hill’s Ventrone.
“At a minimum, IT vendors should be prohibited from changing security controls that would decrease the security, protection, or resiliency of its systems and company data,” she says.
3. Who on your team is capable of altering our identity posture, and what prevents a social engineered request from triggering that action?
CSOs can begin with general access inquiries: what access the provider’s team has to customer systems and data, and how that access is segmented and secured, Stratascale’s Corcoran says. Access should be limited by role, with least privilege enforced and multifactor authentication, single sign-on, and network segmentation in place.
Look for “logged, monitored, and immediately revocable access — ideally aligned with access control best practices from the NIST RMF function, which emphasizes least privilege and separation of duties,” Corcoran says.
Then CSOs can get specific. “Many clients focus on firewalls, endpoint agents, and MFA while overlooking the trust pathways that attackers prefer to use,” Alford says. Help desk workflows, OAuth integrations, supplier support portals, and automation connectors typically get less scrutiny even though they can alter identity states or extract large volumes of data with a single action.
CSOs should look for strictly defined role scopes, multi-step verification, step-up authentication, and approval chains for credential resets. “Anything short of that signals a blind spot that no amount of technical hardening will cover,” says Alford.
4. How can we verify the workflows you use when onboarding, offboarding, or resetting access, and can you show evidence of how these workflows performed last quarter?
Many companies underestimate how much operational trust they blindly hand over to providers. IT partners should offer workflow maps, execution logs, and testing records, not just policy documents.
“The most significant gaps appear in the places people assume are safe. I have seen mature organizations with strong 27001 programs, disciplined PCI controls, and well-run internal security teams fall to issues that lived entirely inside vendor workflows,” Alford notes. “Help desk resets, poorly scoped automation tokens, and inherited admin rights all surfaced in post-incident reviews as quiet pathways that no one had modeled.”
Risk assessments should focus not just on servers and networks but identity workflows and human-operated processes as well. “When you widen the lens, you often discover controls that look strong on paper but behave differently in practice,” Alford says.
5. What independent testing do you conduct, and how often is it performed?
IT partners should have a third party run security tests and assessments, and provide copies or executive summaries of these vulnerability scans, penetration tests, and other audits at least annually and whenever there are material changes to their network, infrastructure, or security controls, Clark Hill’s Ventrone says.
ThreatLocker CEO Danny Jenkins stresses frequency: “Threats are always evolving, so a once-a-year audit is not sufficient. All systems should be undergoing regular penetration testing and improvement.”
6. Can you list every OAuth integration and privileged API relationship in your service and explain how each is scoped, rotated, monitored, and revoked?
“OAuth integrations are often treated as harmless conveniences rather than high-privilege conduits,” Alford explains. “In reality, they function like a network of forgotten tunnels. They bypass the front gate entirely and connect systems deep inside the environment.”
Companies should ask service partners to provide a token inventory, minimal scopes, finite lifetimes, and behavioral monitoring. Broad or permanent tokens are red flags, signaling elevated risk.
7. If an attacker abused one of your processes without breaching your systems, what are your contractual and operational commitments?
“These agreements often hand providers the practical ability to alter identity states, access sensitive data, or operate parts of the production environment. That level of delegated trust deserves the same scrutiny as hiring a senior operations leader,” says Alford. “When providers can reset passwords or manage OAuth integrations, the contract becomes a control document. It defines how risk will be shared and what evidence the client can demand.”
Without CSO involvement, contractual clauses are usually weak. “They focus on uptime rather than security, and they rarely require the provider to support strong authentication, tamper-evident logging, or event-level transparency,” Alford adds. Clients should insist on obligations tied to process compromise, not just system compromise.
8. What controls govern your staff’s activity in our environment, and how would we detect if a privileged session deviated from expected behavior?
“Modern attacks flow through trust relationships and soft operational processes,” Alford points out. “They exploit the places where no one expects danger — like help desks.”
As a result, controls on vendor staff behavior and detection of deviations are critical. Companies should insist on session recording, real-time alerts, and segregation of duties, Alford advises.
“Rapid detection and revoking access can make all the difference in an incident,” Onapsis’ Perez-Etchegoyen adds. Continuous application-level monitoring, clear incident response procedures, and the ability to immediately disable users or integrations are key.
9. How will you isolate our assets and data from other customers — including identity separation, automation boundaries, and admin segregation?
CSOs should seek architectural clarity and concrete mechanisms that limit blast radius, says Alford. They should also ask how the IT partner manages the cybersecurity risks posed by their value chains of vendors and subcontractors.
“IT partners should have a robust vendor management program and conduct appropriate due diligence on their own service providers,” advises Ventrone.
10. How quickly will you notify us of a security incident that impacts our data or systems?
“The biggest gains come from simple steps,” says CompTIA’s Gross, including gaining clarity on how incidents are disclosed and outages are handled.
CSOs should look for guaranteed notification within 24 to 72 hours, a tested incident response plan, and clearly defined breach reporting timelines and responsibilities written into the contract, says Stratascale’s Corcoran.
When an incident occurs, “IT partners should provide customers with sufficient information to perform their own threat analysis,” Alford says. “If an IT partner doesn’t provide the insight needed to identify attacks against their customers, then customer organizations can only rely on the detection and reporting capabilities of the hosting provider.”
11. How do you identify, prioritize, and remediate vulnerabilities?
Review of IT partner’s patching policies and remediation timelines should never be overlooked, as many cyberattacks exploit known vulnerabilities. “Slow patch cycles lead to supply chain disruptions, business operational issues, and even bankruptcy in some cases,” says Perez-Etchegoyen, who emphasizes SLAs related to critical patches and proof that fixes are validated.
Ventrone gives the example of a company that outsourced firewall management to a vendor. After a vulnerability in the firewall was exploited, the vendor ended up restoring the vulnerable version, resulting in a second compromise. In another example, a client found out that its IT partner, which had experienced a ransomware attack through its VPN, patched just once a month.
“I literally could not believe this was considered sufficient,” Ventrone says.
12. Do you carry enough cyber insurance to cover the impact to all your customers?
“We’re going to see a lot more attacks against SaaS providers,” says SANS Institute’s Wright. “Attackers have lots of motive here since the access obtained when a SaaS provider is compromised is significant, with lots of subsequent opportunity for ransomware, extortion, and direct harassment attacks against customers.”
Ventrone says clients should confirm their provider’s policy covers not only themselves but the full impact of a multi-customer incident.
13. Can we test your processes?
Attestations regarding cybersecurity testing and monitoring — such as regular penetration testing, 24/7/365 security monitoring, threat hunting — are essential, Wright says.
But Alford recommends going a step further. “Lots of firms do questionnaire-based reviews that confirm policies exist but rarely test how provider processes work in practice. They assume a support vendor has strong verification steps. They assume an integration partner follows least privilege. They assume a SaaS platform has adequate logging for delegated access,” says Alford, warning against presumptions.
“Verification through evidence, realistic scenarios, and process testing changes everything,” he says. “It exposes where risk actually lives and gives you the ability to design controls that match how attackers think rather than how documentation reads.”
Ongoing diligence necessary
“Recent incidents underscore that many organizations are not adequately managing third-party risk over the full lifecycle of their IT provider relationships,” notes Clark Hill’s Ventrone, adding that too often due diligence is treated as a one-time exercise, with insufficient ongoing oversight to ensure that security controls and procedures remain appropriate as systems evolve.
Stratascale’s Corcoran also notes that cyber due diligence often falls through the cracks. “Many client organizations still fall short in managing third-party risk because it’s often treated as a collateral duty, split between procurement and general risk functions rather than a dedicated, optimized process,” he says. “As a result, business stakeholders remain unsatisfied and critical risks go unmitigated, even as attackers increasingly exploit weaker links in the supply chain.”
Increasingly, partners in the IT ecosystem are being seen by cybercriminals to be those weaker links.