The Vendor That Didn’t Lose the Contract

The Vendor That Didn’t Lose the Contract

Mike Fitzpatrick Mike Fitzpatrick

Mike Fitzpatrick

Published Feb 17, 2026
+ Follow

It Just Watched It Walk Out the Door


The Renewal That Felt Routine

A friend of mine runs a company with roughly 1,500 employees. It’s not fragile. It’s not experimental. It’s a mature operating business with enterprise customers and long-standing contracts.

Last year, they renewed a major agreement. Nothing about the relationship suggested instability. Delivery was consistent. Performance was strong. The renewal felt procedural.

Then the security review arrived.

Not the old version. Not the “Do you have antivirus?” questionnaire that could be answered in an afternoon. This one asked for documentation. Evidence of multi-factor authentication enforcement. Backup restoration testing. A formal incident response plan. Independent assessment results. Information about the governance standards of their outsourced IT provider.

His first reaction was the one I’ve heard hundreds of times.

“We’ve never had a breach.”

That statement was accurate.

It was also beside the point.

The enterprise client wasn’t asking whether something bad had happened yet.

They were asking whether something bad would be survivable if it did.

There is a difference between a clean history and demonstrable resilience.

The Myth of Being “Too Established to Be Fragile”

Years ago, I interviewed 520 CEOs running companies with between 250 and 2,000 employees. I asked how many had conducted a comprehensive cybersecurity assessment, one that evaluated not just tools, but governance, documentation, and third-party exposure.

Seven hands went up.

Subsequent research from Hiscox and the Ponemon Institute reflects the same pattern. Between 80 and 85 percent of small and mid-sized enterprises report they have never conducted a formal cybersecurity assessment.

Most do not believe they are likely targets.

That belief made sense when risk was perimeter-driven. When we built networks, we built them from the inside out. Protect the crown jewels. Secure the walls. Monitor the gates.

But the walls no longer define exposure.

Today, risk enters through vendors, software dependencies, outsourced service providers, and increasingly through automated development pipelines.

You are not always the prize.

Often, you are the pathway.

When Boards Change, Procurement Changes

The Ponemon Institute’s recent global research with ProcessUnity reinforces what many of us are seeing operationally. Third-party related incidents are not edge cases. Assessment cycles stretch beyond normal business rhythms. Even large enterprises struggle to manage vendor ecosystems consistently.

Boards have learned something over the last few years.

Inherited risk is still risk.

If exposure can propagate through a vendor, then vendor governance becomes material.

That awareness changes procurement behavior.

And it pushes scrutiny downstream.

Delegation Is Not Validation

In my friend’s case, they had an outsourced IT provider. Firewalls were configured. Endpoint protection was active. Backups were running. Patching was automated.

From a technology standpoint, nothing looked reckless.

But technology in place is not the same thing as governance demonstrated.

When the enterprise client asked for documentation, the questions became more specific than the company had ever needed to answer.

When was the last full restoration test conducted under real conditions? Does multi-factor authentication, enforced everywhere, materially reduce exposure? Who owns incident response authority if operations stop? Has an independent party evaluated control effectiveness against business consequences?

The MSP managed the infrastructure well.

That was not the issue.

The issue was validation.

Outsourcing changes who executes. It does not change who carries consequence.

SolarWinds and CrowdStrike were not just technical failures. They were failures in trust chains. Boards internalized that lesson quickly.

If a vendor is compromised, exposure travels.

The Illusion of Being “Green”

Many mid-sized enterprises respond by pointing to a cyber score or compliance artifact. A dashboard. A rating. A completed questionnaire.

Those signals are not meaningless.

They are also not proof.

A public cyber score is similar to a credit score. It offers context. It does not replace underwriting.

A compliance certificate confirms controls were observed. It does not confirm they will hold under stress.

Enterprise clients are not screening for intent.

They are screening for resilience.

AI Is Accelerating the Conversation

At the same time, internal complexity is increasing.

AI-assisted development has accelerated enterprise velocity. Code is generated faster. Dependencies are introduced more quickly. Open-source components move into production at a pace few governance models were designed to absorb.

Velocity has increased.

Oversight often has not.

When development accelerates without a corresponding validation discipline, exposure compounds quietly.

From the perspective of an enterprise client already absorbing ecosystem risk, that acceleration does not reduce scrutiny.

It increases it.

When It Became About Eligibility

In my friend’s case, the contract did not collapse.

It paused.

Renewal slowed while documentation was assembled and an independent assessment was commissioned. Gaps were identified. Controls were formalized. It took months to restore forward momentum.

Afterward, he said something that reframed the entire experience.

“I thought this was about security. It was about eligibility.”

That observation captures the shift.

Cyber maturity is increasingly tied to revenue qualification.

CMMC makes this explicit in defense contracting. Without demonstrable controls, contracts do not proceed. But the pattern extends beyond regulated sectors.

Enterprise supply chains are filtering vendors based on governance maturity.

Quietly.

If you cannot demonstrate control effectiveness, you may never know that was the deciding factor.

The Structural Opportunity

There is an opportunity embedded in this reality.

If the majority of companies between 250 and 2,000 employees have never conducted a formal independent assessment, if most rely entirely on outsourced IT without governance validation, then the competitive bar is not impossibly high.

It is simply higher than average.

Organizations that invest in structured governance, independent validation, and documented resilience separate themselves operationally. They shorten sales cycles. They reduce procurement friction. They improve negotiation posture.

Not because they are louder.

Because they are prepared.

For enterprises without an internal third-party risk function, structured services can bridge that gap. Services such as MyCSO Vision provide managed third-party and ecosystem risk validation so mid-sized organizations can meet enterprise expectations without building an internal department from scratch.

More information is available here: https://ncxgroup.com/mycso-vision/

Contracts rarely explode in public.

They simply migrate to the vendor who demonstrated preparedness first.

P.S.

Enterprise supply chains are not casual environments anymore.

You can insist you are responsible. You can point to a clean history.

But eventually someone will ask for proof.

In modern ecosystems, proof is not optional.

It is the price of admission.




Bite Size Security News Bite Size Security News

Bite Size Security News

1,145 follower

+ Subscribe

To view or add a comment, sign in

More articles by Mike Fitzpatrick

See all articles

Explore content categories