October 6, 2025
In the 1990s, information security was little more than a technical chapter in IT manuals. Companies were digitalizing processes and infrastructure, corporate networks were beginning to […]
Today, corporate security is tied to a complex network of systems and relationships. Every organization depends on an extended ecosystem of suppliers, partners, and applications that take part in its most critical processes logistics, cloud services, industrial systems, payment tools, and data management. This interdependence has multiplied efficiency but has also significantly expanded every company’s attack surface. Risk no longer lies solely within internal systems, but above all in integrations with the outside world which are often not properly monitored or accurately tracked.
For security leaders, the problem has become structural.
During the supplier onboarding process, security is often treated as a formal requirement rather than as a risk-based evaluation, and subsequent checks are reduced to occasional verifications.
Meanwhile, suppliers’ systems and tools evolve, subcontractors change, and dependencies multiply exponentially, creating a complex network of connections that is extremely difficult to trace.
In many organizations, the security team either does not possess or is unable to process an updated inventory of who actually accesses infrastructures or exchanges data with the organization.
This information gap has now become one of the main vectors of vulnerability.
The digital supply chain and the new compliance constraint
Regulatory evolution has confirmed what practice had already demonstrated: security is not an isolated attribute.
The NIS2 Directive introduced a clear and previously underestimated principle the responsibility for security extends to relevant suppliers and partners .
Organizations are now required to demonstrate that they have assessed the security posture of their third parties and that they have continuous monitoring processes in place. NIS2 extends the concept of adequate technical and organizational measures to the entire value chain. This means that a vulnerable critical supplier can determine the non-compliance of the entire production chain.
For CISOs, this represents a change in perspective that brings supplier management into the heart of risk governance, overcoming the notion of a marginal activity. It is necessary to integrate third-party control into procurement processes, define security clauses in contracts, and maintain updated evidence and reports. This transition requires tools and methods capable of transforming compliance into a real control practice — not a static archive of documents.
In 2025, Jaguar Land Rover was forced to suspend production following a ransomware attack on one of its logistics suppliers.
The component supply chain was interrupted, and within a few days, an external incident compromised the continuity of a complex industrial system.
In that episode, it wasn’t technology that failed, but visibility: the partner’s risk had not been measured, and interdependencies between processes were not modelled with sufficient detail.
A few weeks later, a cyberattack on the central systems of several European airports — including Heathrow, Brussels, and Berlin Brandenburg — paralyzed check-in and boarding services.
Once again, the attack was due to the vulnerability of an external supplier integrated into airport processes.
The impact was immediate: thousands of passengers stranded, extraordinary costs for airlines, and major reputational damage to the entire airport sector.
Both cases reveal the same weakness: a highly interconnected ecosystem in which reduced visibility over suppliers translates into systemic vulnerability.
Third-Party Risk Management (TPRM) was born as an operational response to this complexity.
A mature third-party management model does not simply catalog suppliers but analyzes their role in the production process and their exposure level.
The goal is to create a consistent representation of the dependency ecosystem: who accesses what, from where, and with what level of control.
The most advanced organizations adopt continuous assessment approaches, integrating threat intelligence, audit results, and operational performance data.
A supplier is no longer “compliant or non-compliant”: it is measured in terms of residual risk and potential impact.
This requires close collaboration among security, procurement, and legal functions — but above all, a reliable data foundation.
Here, technology becomes an enabler, not a substitute for human judgment.
Navigating a digital ecosystem without an updated data foundation means moving blindly.
Even with the best route, it only takes a small deviation to lose direction.
Relationships with suppliers, communication flows between systems, and dependencies on external services change so frequently that any static snapshot of risk quickly becomes obsolete.
For this reason, monitoring must be continuous, fueled by real-time data describing how the organization’s digital ecosystem evolves.
A data-driven approach allows a dynamic representation of the network of connections linking infrastructures, processes, and partners. The goal is to depict risk dynamically, through a map highlighting concentration areas, propagation paths, and operational impacts — going beyond the static nature of traditional inventories.
The next step is building a digital twin of the supply chain: a model that replicates real flows and simulates the propagation of a cyber event or service disruption.
This “digital twin” enables CISOs to evaluate the domino effect of an incident on critical suppliers, calculate recovery times, and set mitigation priorities based on concrete data.
It’s a profound shift that transforms security from a set of controls into a tool for prediction and governance.
From this evolution arises ESRA’s approach a platform designed to integrate automated analysis, cross-domain correlation, and predictive modeling in a single operational environment.
Every relationship, from network flow to contractual constraint, is tracked and evaluated based on its impact on business processes, providing the CISO with a complete and updated view of exposure.
Thanks to a completely agentless architecture, the platform observes threat propagation in near real time while maintaining operational continuity.
This feature makes it possible to monitor the digital ecosystem without introducing invasive components, ensuring constant visibility even in the most complex environments.
The collected data feed a continuous monitoring cycle, trace mitigation actions required by NIS2 and ISO 31000, and provide governance with an objective basis for risk evaluation.
The result is a system that integrates security into decision-making and corporate strategy, offering management an objective foundation for strategic choices.
In this way, security becomes a structural component of organizational resilience.
Third-party management is now a central element in assessing corporate security, as required by the NIS2 Directive.
Evaluate your organization’s maturity level in supplier management: complete the questionnaire
The questionnaire is exclusively in Italian
ai.esra SpA – strada del Lionetto 6 Torino, Italy, 10146
Tel +39 011 234 4611
CAP. SOC. € 50.000,00 i.v. – REA TO1339590 CF e PI 13107650015
“This website is committed to ensuring digital accessibility in accordance with European regulations (EAA). To report accessibility issues, please write to: ai.esra@ai-esra.com”
ai.esra SpA – strada del Lionetto 6 Torino, Italy, 10146
Tel +39 011 234 4611
CAP. SOC. € 50.000,00 i.v. – REA TO1339590
CF e PI 13107650015
© 2024 Esra – All Rights Reserved
