5 practical tips for effectively managing vendor risk
Oct 6, 2025
Round table moderated by Étienne Retout (Galink) with two field experts:
Imane Dahou, manager Cybersecurity, Data Protection & IT Risk at Sia
Gérôme Billios, partner at Wavestone (Cybersecurity & Digital Trust practice)
Objective of this session: to move from the "why" to the "how" and detail five immediately actionable recommendations for managing cyber risk related to third parties.
To discover the complete webinar, it's here
Recommendation No. 1: Governance, a lever for action and alignment with the Executive Committee
Common mistake: reducing supplier risk to a purely technical subject. It is primarily a matter of governance and responsibility.
"Supplier risk should no longer be reserved for IT or cybersecurity. It involves the legal and reputational responsibility of the entire company," emphasizes Imane Dahou.
Integrate supplier risk into the overall risk framework (at the same level as compliance and business continuity), with reporting that escalates to the risk committee and the executive committee.
Establish a culture of shared responsibility: purchasing (selection), legal (contracting), business units (usage and prioritization), IT (operation/supervision), security team (framework and control). A clear RACI matrix avoids gray areas.
Speak the language of other functions: adapt to the terminology of purchasing/legal/business, rely on concrete cases and current events to ground the topic.
"Third-party security cannot rest on a single function. Everyone holds a lever to control risk," she reminds.
Recommendation No. 2: Speak the language of the Executive Committee – from cyber to business impact
To engage sustainably, one must translate cyber into business impacts: unavailability of critical processes, exposure of sensitive data, technological dependencies, regulatory obligations.
"One must be a chameleon, adapting to the vocabulary of others and avoiding reinventing the wheel," recommends Gérôme Billios. "Purchasing already manages supplier risks; it's up to us to integrate the cyber dimension into it."
The image of the chameleon summarizes the approach: do not recreate a separate mechanism, but connect cyber to the supplier risk management already carried by purchasing and management.
Recommendation No. 3: Prioritize, contract, and audit
In the face of massive supplier bases, it is necessary to treat them differently.
"Start small and grow quickly," advises Gérôme Billios. "The 20 to 30 critical suppliers are often intuitively known. Start with them."
Map and classify according to criteria shared with purchasing: confidentiality, integrity, availability (CIA), location and jurisdictions, technological dependence, regulatory exposure.
Segment into three levels:
Critical (about 20 to 30): dedicated audits, RSSI↔RSSI relationships, tests, enhanced supervision.
Significant (hundreds): structured questionnaires, periodic evaluations, analysis platforms.
The rest: standard contractual requirements, proportionate minimum measures, monitoring by exception.
"Delegating does not exempt responsibility. The contract remains the first line of defense," reminds Imane Dahou.
Contracting to maintain control: provide for reversibility and transfer assistance (formats, guarantees, deadlines), audit/test rights, regulation of cascading subcontracting, operational requirements (safeguards, DR/BCP, incident management, notification timelines, encryption, logging, localization).
In the case of "giants" that are non-negotiable: rely on certifications (ISO 27001, SOC 2, etc.) and collective levers (sector, associations, regulators). Anticipate dependence (exit options, multi-cloud) from the design phase.
"We cannot always negotiate with giants, but we can demand guarantees through certifications and regulations," she explains.
Recommendation No. 4: Show rapid and tangible results
To prove usefulness, aim for quick wins on 10 to 20 critical suppliers: audits launched, action plans followed, clauses updated, tests conducted. Link each supplier/contract to business processes and measure risk evolution by process. Take advantage of renewals to inject new security annexes instead of renegotiating everything at once.
"It is essential to show that it serves a purpose," summarizes Gérôme Billios. "The first results create a positive dynamic and facilitate buy-in."
Recommendation No. 5: Tools and AI for scaling up
Automate repetitive tasks (evidence collection, reading and comparing documents, scoring, follow-ups) and use AI to accelerate the analysis of questionnaires/contracts. Key condition: have a proprietary framework (clause templates, cyber criteria, supplier/process dictionary). AI provides gains especially in the industrialization phase, with human review for sensitive decisions.
"AI is not magic: without a proper database, it works in a void," warns Gérôme Billios.
Practical advice for CISOs to engage their Executive Committee
Anchor cyber into the existing governance of supplier risks (no parallel silo).
Discuss business impacts and show regular and visible results.
Prioritize intelligently: it is better to treat 20 critical suppliers well than to skim over 2,000 contracts.
Secure the legal relationship: reversibility, audit, subcontracting, incident management.
Prepare for scaling: reference data, automations, then supervised AI.
In brief
Clear governance, business language, prioritization by criticality, robust contracts, rapid results, and appropriate tools: these levers combined allow for everyday management of cyber supplier risk and sustainably engaging the organization, from the Executive Committee to operational teams.