The Difference Between Vendor Security and Vendor Exposure

Iain Paterson has a test he runs on every TPRM vendor that calls him.

"Show me your report on Progress Software from May 2023."

Progress makes MOVEit , a file transfer platform. One month after that date, MOVEit was at the center of one of the largest data breaches in history. Thousands of organizations compromised through software their own vendors were using to move sensitive data.

The score every tool gave Progress before the breach? An A++.

"The real risk wasn't how secure Progress is. It was how you're using this technology." Organizations were routing finance data, HR records, and corporate secrets through MOVEit. Scan-based tools couldn't see any of that. They scan the outside of a website and produce a number.

No vendor he's tested has ever given him a satisfying answer. The reason, he says, is that they're all asking the wrong question.

"There's a difference between analyzing the security of a third party and analyzing your exposure to a third party."

That distinction is the whole problem with how TPRM has been built.

When Lema analyzed one of Well Health's existing vendors (a tool routinely used to transform documents containing billing data)  it surfaced something no external scan would catch: the vendor which appeared to be headquartered in Miami had almost all its employees located in Russia, previously reported software vulnerabilities, and involvement in publicized litigation. The company looked fine from the outside.

Q: When Lema surfaced that finding, what did you do

“We took immediate action with the business unit that was using the software to understand the purpose of the solution and the exposure we had. We determined that we had not experienced a privacy breach as a result of the limited data types, but we had not agreed to our data being accessible to employees in sanctioned geographies. We worked with the business to find an alternate vendor that could guarantee data residency in Canada.”

Q: What has the impact been since deploying Lema? 

Since we deployed Lema we have worked through a massive backlog of vendors, onboarding over 150 into the program through automation. We have re-focused our TPRM on the areas of risk that are most specifically concerning to us as a healthcare business operating where we do. We don't spend time chasing perceived risks that don't impact us specifically.

• Median assessment time reduced from 64 days to 11.6
• Controls adoption increased from 73% to 99%

For Paterson, this is exactly the point. Most TPRM programs are built around the wrong question. They ask how secure a vendor is. They should be asking how exposed you are to that vendor. What data flows through it. How deeply it's embedded. What happens if it fails or is compromised.

"Most TPRM tools are just random number generators. They make assumptions based on superficial scans that don't reflect real-world exposure. Lema is the first platform we've seen that provides a holistic, multi-dimensional view of our actual third-party risk and gives us the actionable intelligence to mitigate it."