The traditional vendor–customer security relationship has long relied on contractual obligations and irregular audits. Yet in a cyber landscape defined by persistent threats and AI-accelerated attacks, these old assurances are no longer fit for purpose. Trust in a vendor's cybersecurity must be continuously validated, not periodically declared. As attacks become more complex and interconnected digital systems expand, organisations are discovering that vendor risk is their risk, and no chances can be taken.
From empty trust to proven strength
What once worked for security vendors, trust-based compliance, has now become the bare minimum, as well as an outdated approach for modern cyber strategy and data protection. Contracts and written assurances do little to protect organisations in practice, and too often, customers are left with limited insight into the real security posture of their vendors.
In the past few years, we have seen documentation, questionnaires and copious amounts of certifications which has come to overshadow demonstratable robustness. The emphasis has shifted towards ticking boxes, rather than proving strength.
Instead, we need to move from telling to showing; proof over promise.
An evidence-based model of security requires that vendors actively demonstrate that their security approach is measurably robust, measurable, and effective. Compliance does not equal resilience in today’s threat landscape, instead, only a consistent and proactive approach will do.
An inherent lack of structural visibility
Of course, most vendors are not deliberately hiding vulnerabilities from customers. The issues are latency and visibility. Point in-time assessments quickly become outdated and lose relevance as systems shifts, technology advances and new code is deployed. A vendor deemed secure at the point of certification or contractual signing can carry material risks just weeks later without a consistent approach to vulnerability management.
Developing comprehensive visibility of vulnerabilities across an organization is often challenging. Unfortunately, some vendors choose a path of wilful ignorance and blind
optimism. This approach saves money for the vendor, at the expense of increasing the risk you take on as a customer.
Even when new vulnerabilities are found, customers often have little to no visibility. An ad hoc approach to third-party security has created a form of structural blindness where risk exists but remains unseen.
To address this, vendors must move towards continuously signalling operational and cyber resilience, rather than relying on static assurances.
Demonstrating in practice: penetration testing
In practical terms, this means on thing: continuous penetration testing.
For vendors performing infrequent or ad hoc tests, security teams struggle to keep up with the rapidly evolving landscape, leaving vulnerabilities unidentified and customers exposed.
By simulating real attacker behaviour, vendors not only demonstrate their commitment to a strong security framework to customers, but it also actively improves their vulnerability management and reduces the very risk of a data breach in the first place. Customers are assured with evidence; vendor’s security teams can sleep easy that their weaknesses have been addressed.
For organisations managing dozens, or hundreds, of third-party relationships, this level of visibility is critical to understanding where real risk resides and improving customer relationships.
Calling all CISOs
Supply chains have become prime targets for hostile actors, where data breaches lead to a domino effect of disruption across suppliers, warehouses and manufacturers. For instance, the devastating Jaguar Land Rover attack in September 2025 contributed to reducing real growth across the wider economy of the UK to just 0.1%.
It is critical that vendors begin to demonstrate, through evidence, that they are secure. CISOs are uniquely positioned to raise the bar and lead the charge in demanding third-party security teams are proving their robust cyber management.
To be clear, this is about a greater alignment between vendor and customer, not about punishing the vendors whose security might not be as strong as was hoped. Providing
proof over promise represents a fundamental shift in the cybersecurity approach of both CISOs, third-parties and customer organisations.
Where CISOs are leading the charge, companies across all sectors can build up their resilience.
Proof over promise
This is a chance for CISOs to raise the bar for vendors and lead the charge in demanding stronger proof of resilience and robust frameworks. Vendor security claims should be backed by measurable, ongoing validation, rather than ad hoc, periodic audits or unchecked promises.
With AI becoming weaponised, organisations need dynamic defence strategies. Continuous pentesting, filling in regulatory gaps and open, honest and structured communication between vendors and customers are essential to shifting from reactive defence to proactive resilience.
In modern cybersecurity, confidence is not a statement, but a sustained demonstration.
