Vendors Weighted, Some Found Wanting - Lessons Learned from Checking 3000 Vendors for 200 Companies
21 Oct 2025
Level 3, Room GW6 | Sands Expo and Convention Centre
Concepts of Trust and the Spillover of General Ecosystem Dynamics into Cyber Specific Supply Chains
We trust our vendors, and on paper, they all take cybersecurity seriously. But the real world tells a different story.
How different? I learned it when facilitating a campaign to improve the resilience of Finnish society for the National Cyber Security Center Finland. In the campaign we 1) helped companies to identify their supply chain, 2) checked the vendors for potential security lapses, 3) reported the issues and 4) helped with fixes. Finally we rated the vendors based on their response. I am glad to be able to share anecdotes and statistics about this endeavor. I’ll tell you what are vendors’ different stereotypical behaviours when they learn they have vulnerabilities. I’ll give examples from their heroic efforts to tackle the vulnerabilities to bizarre justifications on why they can be ignored. Finally, I'll give tips on how you can be the best vendor for your customers, or how to push your own supply chain to step up and protect you instead of making you more vulnerable.
How different? I learned it when facilitating a campaign to improve the resilience of Finnish society for the National Cyber Security Center Finland. In the campaign we 1) helped companies to identify their supply chain, 2) checked the vendors for potential security lapses, 3) reported the issues and 4) helped with fixes. Finally we rated the vendors based on their response. I am glad to be able to share anecdotes and statistics about this endeavor. I’ll tell you what are vendors’ different stereotypical behaviours when they learn they have vulnerabilities. I’ll give examples from their heroic efforts to tackle the vulnerabilities to bizarre justifications on why they can be ignored. Finally, I'll give tips on how you can be the best vendor for your customers, or how to push your own supply chain to step up and protect you instead of making you more vulnerable.
