A Foundation of Trust

As the bible-inspired old saw goes, it is foolish man who builds his house on a foundation of sand. Assume that he has a choice, of course.

Google's AI, ever helpful and knowing that I am interested in cybersecurity topics, sent me a link recently with this rather ominous opening paragraph:

In early 2026, cybersecurity leadersare grappling with a critical disconnect between the frequency of third-party security incidents and their internal capacity to manage them. According to a comprehensive  2026 survey of 200 US-based CISOs, while 60% of organizations reported an increase in third-party breaches, a staggering 85% admitted they lack full visibility into their software supply chain risks. [source]

This is fancy way of saying that we all take on the cybersecurity vulnerabilities of our business partners and suppliers, at least to some degree. The "lack full visibility into their software supply chain risks" is a bit dramatic: of course we do. It is not realistic to expect every entity with which we do business to give us complete access to audit each and every system they use and each and every aspect of their cybersecurity program.

But what we can and should expect from every entity with which we do business is the following:

• That they have a formal cybersecurity program;
• That their programs be provable effective;
• That the executive summary of this proof be available for review;
• That the proof be up-to-date.

And what we demand of others we should be willing to demand of ourselves: we should be able to meet these requirements ourselves. Any business partner or client should be free to ask for this assurance and to get this assurance.

Providing this kind of assurance should not be much of a burden if we have a formal cybersecurity program and here in the 21st century, just about every organization of any size should have a forml cybersecurity program.

If you can't assure your business partners and your clients that you are a reliable part of their extended IT ecosystem then you are not a safe business partner or vendor. But since you get the ability to assure others at no extra charge when you invest in the effort to assure yourself, there is little excuse.

Take care of yourself. Protect those who depend on you. Prove it and expect the same in return. To rewrite the saw for our times, it is a foolish organization which does not have a formal cybersecurity program; it is an untrustworthy business associate who cannot prove their trustworthiness and it is a foolish executive who does business with untrustworthy partners or vendors.