What CISOs Need to Know About Third-Party Risk in Hybrid IT Environments

Modern organisations rely on a sprawling ecosystem of cloud providers, SaaS platforms, managed service providers and niche vendors. In hybrid IT environments, where on-premises infrastructure coexists with multiple clouds and SaaS applications, this ecosystem becomes more complex and less visible.

Recent high-profile incidents show that attackers increasingly target suppliers and service providers as a way into enterprise networks. DACTA’s case study How a Supply Chain Attack Brought UK Retail to a Standstill illustrates how a single compromised provider can cascade operational disruption across an entire sector.

For CISOs, third-party risk management (TPRM) is no longer an isolated compliance function. It is a core part of cyber risk management, particularly in hybrid environments where ownership boundaries are blurred.

How third-party risk is evolving in hybrid IT

Hybrid IT amplifies third-party risk in several ways:

• SaaS sprawl. Business units adopt SaaS tools independently, leading to unmanaged data flows and unknown vendors.
• Shared responsibility gaps. Cloud providers and customers share security responsibilities, but misunderstandings about where the line is drawn can leave gaps.
• Nested supply chains. Your vendors depend on their own vendors, creating deep chains of dependency that are difficult to map.
• Operational technology (OT) and IoT. For some sectors, third-party risk extends into industrial systems, embedded devices and field services.

Traditional questionnaire-only approaches struggle to keep pace with this reality. CISOs need a structured approach anchored in well-recognised frameworks.

Key frameworks – NIST SP 800-161 and CSA Cloud Controls Matrix

Two frameworks have emerged as particularly relevant for managing third-party and supply chain risk in hybrid environments.

NIST SP 800-161 Rev. 1 – Cybersecurity Supply Chain Risk Management

NIST SP 800-161 provides detailed guidance on integrating supply chain risk management into organisational risk processes, complementing existing NIST frameworks such as SP 800-53 and SP 800-39. It emphasises:

• Identifying critical systems and components across the supply chain
• Assessing supplier risks, including their own suppliers
• Embedding supply chain risk considerations into procurement and governance

For CISOs, it can serve as a playbook for integrating TPRM into existing risk and compliance structures.

Cloud Security Alliance (CSA) Cloud Controls Matrix and CAIQ

The CSA Cloud Controls Matrix (CCM) is a widely used framework for assessing cloud security controls, mapping them to industry standards and regulations.  The associated Consensus Assessments Initiative Questionnaire (CAIQ) is a standardised set of questions that cloud customers can use to evaluate provider security practices.

The CSA STAR Registry builds on these artefacts, providing a public catalogue of cloud providers’ security and privacy controls and levels of assurance (self-assessment, third-party certification, continuous auditing).

For hybrid environments, these frameworks help CISOs:

• Compare cloud providers on a consistent baseline
• Align internal policies with external expectations
• Reduce duplication in vendor assessments

Practical steps for CISOs managing third-party risk

Frameworks are useful, but they must translate into concrete actions. A practical roadmap might include:

1. Build a complete third-party inventory

Catalogue all vendors, cloud providers, MSPs and critical open-source components used across IT, OT and business units. Include:

• Data processed or stored
• Access to internal systems
• Business criticality and regulatory impact

This inventory is the foundation for risk-based prioritisation.

2. Classify vendors by criticality and data sensitivity

Not all vendors are equal. Define tiers, for example:

• Tier 1 – Critical providers with access to sensitive data or core operations
• Tier 2 – Important providers with significant but non-critical impact
• Tier 3 – Low-risk vendors with limited access and impact

Apply more rigorous assessments and monitoring to higher-tier vendors.

3. Standardise assessments using recognised frameworks

For cloud and SaaS providers, leverage CSA CCM, CAIQ and STAR entries where available to reduce bespoke questionnaires.

For broader suppliers, align questionnaires with NIST SP 800-161, focusing on:

• Security governance and policies
• Vulnerability and patch management
• Incident response and notification processes
• Their own supplier risk management

DACTA’s article Vendor Risk Management: Key Questions to Ask Before Partnering offers a practical set of questions and real-world examples that can be adapted for your assessments.

4. Integrate TPRM into governance, risk and compliance

Third-party risks should feed into the same risk register and reporting mechanisms as internal risks. That means:

• Assigning risk owners for critical vendors
• Establishing clear acceptance criteria and exceptions
• Reporting aggregated third-party risk to the board or risk committee

DACTA’s Governance, Compliance & Regulatory services help organisations embed these processes into their existing governance structures.

5. Monitor continuously, not just at onboarding

Annual questionnaires are not enough in fast-moving environments. Consider:

• Contractual obligations for timely breach and incident notification
• Periodic reviews of certifications, STAR levels and audit reports
• Technical monitoring such as attack surface management, credential leak checks or threat intelligence related to key vendors

Special considerations for hybrid cloud and OT environments

Hybrid environments introduce specific nuances:

• Cross-region data residency. Multi-cloud providers may replicate data across regions; ensure contractual clarity on where data resides and which regulations apply.
• Privileged third-party access. MSPs and vendors with remote administrative access to on-prem or OT systems require stricter controls, including just-in-time access, logging and MFA.
• Incident response coordination. Your incident response plan should account for vendor roles, including how quickly they must engage and what data they must provide, aligning with DACTA’s Incident Response guidance.

How DACTA Global supports third-party risk in hybrid environments

DACTA Global works with organisations across regulated and high-risk sectors to align third-party risk with broader cyber resilience goals. Relevant services include:

• Risk Assessment – Baseline your current exposure and prioritise high-impact vendor and supply chain risks. Dacta Global+1
• Cloud Security Assessment – Evaluate cloud providers and architectures against best practices and frameworks such as CSA CCM.
• Governance, Compliance & Regulatory consulting – Embed TPRM into your GRC processes, board reporting and policy landscape.

Combined with insights from resources like Vendor Risk Management: Key Questions to Ask Before Partnering and How a Supply Chain Attack Brought UK Retail to a Standstill, DACTA helps CISOs translate frameworks into practical, risk-driven programmes.

Conclusion – Make third-party risk a first-class citizen in your cyber strategy

In hybrid IT environments, third-party risk is not a side issue. It is a primary attack surface. CISOs who treat supplier security as integral to their cyber strategy, and who leverage frameworks like NIST SP 800-161 and CSA CCM, will be better placed to explain and manage risk to boards and regulators.

By building a clear inventory, applying risk-based assessments, integrating with governance and monitoring continuously, your organisation can gain control over a complex vendor landscape.

DACTA Global stands ready to support this journey, combining practical experience, recognised frameworks and managed services to help you turn third-party risk from a blind spot into a managed strength.