The CrowdStrike outage in July 2024 was a wake-up call for organisations everywhere—it exposed how dependent companies are on third-party vendors and their supply chains, and how quickly things can go wrong when core security tools fail.
So says Zakiyya Cassimjee, Mpact's ICT governance, risk, and cyber security manager.
As cyber security becomes more complex, companies need to outsource crucial IT and security tasks, but Cassimjee emphasises the importance of taking vendor risk seriously and managing it proactively.
She cautions: “To reduce exposure, organisations need a solid vetting process before bringing any vendor onboard. This includes: security questionnaires and technical checks, including reviewing their software components; independent audits and vulnerability testing; clear contract terms that cover patching timelines and the obligation to report security issues.”
Cassimjee believes organisations must make vendors responsible for their role in cyber security, saying: “Vendors need to be held to account with well-defined legal and operational expectations. Contracts should outline cyber security service levels, how and when they must notify clients of incidents, and who bears liability.
“We should have the right to audit their controls, and certifications like ISO 27001 or SOC 2 should be non-negotiable. Regular reporting and reviews should be built into the relationship.”
Regarding how to actively manage vendor-related risks, Cassimjee says: “A mature vendor risk programme should include a living vendor register that ranks them by how critical they are to our operations. It should also include continuous monitoring using tools that assess their cyber posture. And, scenario planning and contingency plans for vendor-related outages—like we saw with CrowdStrike—should be part of our disaster recovery playbooks.”
Turning to creating a strong vendor oversight framework, she says: “We need a formal approach to third-party risk management that fits into our overall cybersecurity strategy.
"That means following established standards, such as NIST SP 800-161 or ISO 27036, having a cross-functional team—IT, legal, compliance, procurement—all involved in vendor governance, and making vendor risk part of broader risk and security governance processes.”
Turning to precautions for vendors with access to sensitive data, Cassimjee warns: “Vendors that touch confidential or sensitive information need extra scrutiny. Key steps include deep due diligence around how they handle and protect data; enforcing principles, like least-privilege access and zero trust; and requiring encryption, proper access logging, and insider threat monitoring.”
Cassimjee is one of the speakers at the upcoming ITWeb Security Summit 2025, which will be hosted in Cape Town next week, and in Johannesburg in June.
She will be chairing a panel on vendors' responsibility and accountability for cyber security.
Share
