Skip to content

Your Vendors are a Risk, but How Much of a Risk?

Posted by: Gary Brickhouse

3 min read

Have you ever been to a restaurant and ordered something from the menu, only to be told by the waitress, “I’m sorry but we are out of that item”? Now, stomach rumbling, you have to choose a new item.  No matter the outcome of the meal, this experience usually changes our perception of the restaurant we were dining at.

If we were to dig deeper into why our preferred item wasn’t available, we might find that there was a supply chain issue. The restaurant’s vendor that was supposed to provide the beef for your steak didn’t deliver the order on time, or maybe they had a recall on their meat due to contamination. This break in the supply chain was a potential risk that came to fruition. This event has harmed the business and has tarnished the restaurant’s reputation with the customers who tried to order that meal potentially leading to a string of bad Yelp reviews – especially if it were a recurring problem.

This example is a simple one, but you can see when our businesses rely on third parties/vendors to provide our products and services, it comes with associated risks. We need a strategy in place to appropriately identify and assess those risks. If we look at the example with the restaurant above, having information about the vendor, such as their safety standards or recent safety audits, could have enabled us to categorize that vendor as a high risk for business service continuity. Knowing that information would have allowed the business to come up with a contingency plan to mitigate that risk, perhaps by having a secondary meat provider.

Now, a slab of meat and a company’s data don’t hold the same weight when it comes to risk.  For instance, following the same restaurant, what if we start talking about their Point of Sale vendor used to process credit card transactions. This vendor likely has access to the register for remote support, typically from a connection outside of the corporate network.  Technical issues with the device are a risk certainly, but based on the data involved, it quickly becomes a much more precarious situation.  Since the POS device may have payment data, and if the vendor were to be compromised by a bad actor, that data, and potentially your larger corporate network could be at risk.   The question for you is “were you aware of the potential risks to the data and potentially your larger network?”

Just knowing who these vendors are, doesn’t mean we fully understand their impact on our business if there is an issue. The problem lies in determining the risk of each vendor in all the muddy in-between areas and establishing a plan to assess those risks for each level in a scalable way. 

This plan should include tiering or categorizing your vendors. By tiering your vendors based on their risk and criticality to your organization, you can leverage appropriate risk assessment activities based on the level of inherent risk presented to your company. This allows you to focus your efforts on those higher-risk suppliers that are more in need of your attention, and not waste cycles and budget on non-critical vendors.  

Identifying your vendors and putting them into risk categories is only a portion of what should be in your Third-Party Risk Management Program. There is still a need for assessments to define areas of risk and to determine what types of business impacts are associated with those. We have to make sure this risk program is scalable to all of our vendors and not just able to be used for one or two. So, whether starting the process or looking to mature your current one, getting the list of vendors and categorizing them based on their risk and criticality to your business is key to getting started in building out your Third-Party Risk Management Program.

For more information and guidance on vendor risk and help to define a Third-Party Risk Management Program, check out our White Paper: Key Components to Addressing Third-Party Risk.

About GuidePoint Security

GuidePoint Security provides trusted cybersecurity expertise, solutions and services that help organizations make better decisions that minimize risk. By taking a three-tiered, holistic approach for evaluating security posture and ecosystems, GuidePoint enables some of the nation’s top organizations, such as Fortune 500 companies and U.S government agencies, to identify threats, optimize resources and integrate best-fit solutions that mitigate risk.

Contributing Author

Gary Brickhouse

Gary Brickhouse, VP, GRC Services & CISO, GuidePoint Security

Gary is responsible for all aspects of GuidePoint’s Governance, Risk, and Compliances services including building and managing the GRC team; offering and collateral development; pre-sales and sales enablement support; practice methodology; and service delivery.

Categories: Governance, Risk & Compliance

Gary Brickhouse

CISO,
GuidePoint Security

As CISO at GuidePoint Security, Gary Brickhouse leads the company’s information security strategy, risk management, and cybersecurity initiatives. He is responsible for developing and maintaining GuidePoint’s security architecture and controls while ensuring resilience against evolving threats. With deep expertise in both internal operational security programs and client services, Gary brings a unique perspective that bridges customer needs with real-world security challenges.

Gary previously led GuidePoint’s GRC Services consulting practice, where he developed governance, risk, and compliance solutions to help organizations navigate complex security landscapes. Before joining GuidePoint, he was the Security and Compliance Architect at The Walt Disney Company, where he played a key role in a multi-year business transformation initiative, guiding compliance, data privacy, infrastructure security, and emerging technologies such as RFID. Earlier in his career, he served as an Information Security Specialist at Publix Super Markets, one of the nation’s largest retailers.

As a thought leader in cybersecurity, Gary hosts GuidePoint’s webinar, "The Brick House," where he covers timely security trends, industry challenges, and emerging threats. He is a frequent speaker at cybersecurity events and a go-to expert for media commentary on cybersecurity topics.

Gary holds a Bachelor of Science degree from Florida Southern College and maintains the Certified Information Systems Security Professional (CISSP) certification.

The Brick House: Agentic AI — Preparing for AI That Takes Action
Cybersecurity experts on The Brick House webinar discuss critical 2026 security trends including quantum readiness, zero trust implementation, AI maturation, talent development, and threat intelligence integration. Get insights from GuidePoint Security leaders to strengthen your organization's security posture for the challenges ahead.
Register Now

Related Articles

View All

  • Blog
Cyber Insurance Planning: Putting an Incident Response Retainer to Work 
Posted by: Nate Spurrier
Read More 2 min read
  • Blog
5 Steps to Take Today: A Quick-start Guide to Post-quantum Cryptography
Posted by: Shanan Winters
Read More 4 min read
  • Blog
Cybersecurity Awareness Month: No Tricks, Just Treats – Frighteningly Effective Ways to Scare Off Cyber Ghouls
Posted by: Shanan Winters
Read More 6 min read