TL;DR
Traditional security certifications like SOC 2 and ISO 27001 are becoming dangerously inadequate in our increasingly AI-driven world. Like relying on single-factor authentication, these compliance reports provide a false sense of security while organisations entrust massive volumes of sensitive data to third-party AI systems that require unprecedented access scope.
Cyber security experts Clyde Netto (Director and CTSO, Thomson Reuters APAC, Middle East and Emerging Markets) and Dan Haagman (Chaleit CEO) advocate for a shift from checkbox compliance to integrated security transparency. They argue that organisations must move past surface-level certifications to gain real visibility into supplier development practices.
The cyber security profession needs to mature from organisational roles to collaborative thought leadership, driving industry-wide change that matches the scale of modern data exposure risks.
Context: Inadequacy of traditional assurance
The cyber security industry faces a disconnect between how risk is assessed internally versus externally. Organisations implementing rigorous secure development lifecycle (SDLC) practices for internal applications routinely accept third-party certifications as sufficient assurance for external suppliers processing the same sensitive data.
Clyde observes:
"When an in-house team develops something with access to all organisational and customer data, we apply rigorous secure coding and continuous monitoring. So why do we trust only a third-party assurance report when a supplier processes the same sensitive data?"
This inconsistency, while problematic for traditional software integrations, becomes catastrophic when AI systems require massive data ingestion to function effectively. Large language models and AI-integrated SaaS solutions have altered the risk equation entirely. Where previous integrations might access specific data sets, AI implementations often require comprehensive organisational data access: entire email systems, document repositories, and historical archives spanning decades.
Dan witnessed this risk firsthand:
"One of our customers was recently compromised for this exact reason. They integrated with a third party, and the AI assistant expanded the scope, bringing all their systems into the integration instead of just the one intended."
The legal industry exemplifies this expanded exposure. Law firms are now putting historical archives into large language models, exposing not just current operational data but decades of sensitive client information. As Clyde notes, "You're not just opening up today's can of worms, you're opening up the can of worms for as long as your law firm has existed."
Research reinforces that AI security is a growing concern, with AI integrations, especially in SaaS environments, becoming major vectors for data breaches and leakage.
As of 2025, global AI adoption has reached approximately 78% of companies, a dramatic increase from 32% in 2020. The cyber security industry has responded with a proliferation of security frameworks, architectures, and methodologies, studies show. Despite these efforts, AI-powered apps were responsible for millions of data loss incidents. In 2024 alone, enterprises experienced over 872 million data loss violations across over 3,000 SaaS applications.
Let’s examine the specific challenges that make traditional assurance inadequate and the solutions needed to address them.
Challenges
Challenge #1. Single-factor security problem
Current vendor risk assessment practices mirror outdated authentication approaches, relying on a single "gate" with no visibility into underlying security practices.
"It's like relying on single-factor authentication for password security. There's a gate with a lock — the certificate — but no visibility beyond that," Dan explains.
Organisations receive SOC 2 Type 2 reports and ISO 27001 certificates as primary assurance mechanisms, yet these documents represent point-in-time assessments that may exclude critical dependencies.
Clyde acknowledges the institutional inertia: "That's exactly what we're doing — trusting the SOC report. And I know we're still a long way from rethinking the trust we place in these assurance reports." The scope limitations become problematic when examining supply chain dependencies.
Dan's experience is that "You start looking at the scope and realise there isn't much of one. Everything connects to a certified third party, then another certified third party — a supply chain of supply chains."
This creates cascading risk exposure that traditional assurance reports fail to capture or communicate effectively.
Challenge #2. Development team disconnect
There is a gap between cyber security leadership vision and frontline development implementation. Clyde argues that development teams are overworked: "There's pressure from the product and engineering organisations on the developers who are actually sitting and pushing code out. When there are so many conflicting priorities, feature requests, enhancements, and security requests, security by design gets lost and muddled."
The traditional "shift left" approach fails because it doesn't address cultural and resource constraints within development organisations. Clyde identifies the root cause:
"We're not properly educating and empowering development teams. We hire developers and expect them to hit the ground running, but offer little in the way of guidance or support for their leaders."
When security isn't a priority from the beginning, it leads to a cycle where it's always an afterthought for companies and their suppliers.
Challenge #3. Inadequate risk assessment methodologies
Current vendor risk assessment processes rely heavily on generic questionnaires that fail to capture solution-specific threats and implementation risks. "DPA questionnaires are often meaningless. They don't get to the heart of whether you're actually protecting our data. The questions feel like box-ticking," Dan observes.
Clyde identifies a fundamental flaw:
"You cannot have a one-size-fits-all questionnaire that goes out for an accounting system assessment or a document management system assessment just because you classified the vendor to be a Category 2 vendor."
The questionnaire problem extends to both question quality and answer quality. Customer trust teams often lack deep security understanding, while vendor trust teams provide standardised responses that meet compliance requirements without addressing real security concerns. This creates what both experts describe as a "garbage in, garbage out" cycle.
The situation has deteriorated further with questionnaire outsourcing.
According to Dan, "Some service providers now handle DPAs and cyber security questionnaires on your behalf, just to lift the burden from clients, and that's deeply concerning."
Challenge #4. Professional maturation gap
The cyber security field remains trapped in organisational thinking rather than professional development, limiting industry-wide progress on security challenges.
"A lot of people still look at it as a role that needs to be performed within the context of an organisation, and there ends the deal," Clyde observes.
This organisational focus perpetuates the compliance-driven approach because organisations lack the leverage to demand meaningful transparency from major suppliers. "We need to move from role to profession, from inside our own thinking and organisation to the body of our colleagues and peers that collectively drive an agenda and a standard," Dan argues.
Clyde emphasises the need for unified action:
"If the CISO community doesn't collectively, or at least a majority of the CISO community, agree that we need to drive positive change, it's never going to change."
The security industry needs shared professional standards to create new norms for security, transparency, and assessment.
These problems are all connected. They create a system where poor security practices continue even though their weaknesses are clear. Fixing this will require coordinated action across many areas of professional practice.
Solutions
Solution #1: Implement a multi-layered assurance architecture
Organisations must treat certifications as baseline requirements rather than sufficient assurance, supplemented by ongoing visibility into supplier development practices.
Rather than accepting compliance artefacts, organisations need insight into operational reality: pre-production environments, development practices, and ongoing security metrics.
Clyde proposes a practical approach involving ongoing sampling of SDLC processes, whether annual, quarterly, or otherwise. This requires establishing new frameworks for process integration between customer and supplier organisations.
The solution involves graduated assurance levels based on data sensitivity and access scope.
For critical suppliers handling sensitive data, organisations should demand transparency into development practices, threat modelling exercises, and continuous monitoring metrics.
This approach takes more resources, but it gives you the transparency you need to align your internal security standards with how you assess suppliers.
Solution #2. Invest in developer education and leadership
Companies need to invest in thorough developer education programs. These shouldn't just cover initial training, but also ongoing development of security practices.
Clyde emphasises the leadership component:
"Guardrails should come from strong processes, practices, and committed leadership. If you're not invested in maintaining them, you're just putting them in place to pass a SOC audit."
Dan observes that CISOs are typically time-saturated. "The ones I know that are not have reduced their stack, removed the data overload, and freed themselves up to go into where the real risk may be."
The solution involves:
Collaborative frameworks — Implement frameworks for security and development teams to work together on threat modelling, continuous monitoring, and security metrics collection.
Thought leadership — Leadership must demonstrate thought leadership in security practices, not just management, to foster genuine cultural change within development organisations.
Core competency, not compliance — Treat security integration as a core competency, not merely a compliance requirement. This means investing in education, process integration, and leadership support to maintain security guardrails, even under delivery pressure.
Empowered developer engagement — For development teams to truly engage with security, leaders need to create space and resources for meaningful team development, rather than getting bogged down in compliance.
Solution #3. Adopt threat-modelled risk assessment
The authors argue that threat modelling shouldn't stop at software — it should extend to the entire security assurance process.
Traditional, product-focused threat modelling falls short. Instead, Clyde and Dan recommend asking a broader question: "What are the threats to our security practices?" If you only model threats to your products, your practices will fall behind and eventually become a risk themselves.
This mindset shifts supplier interactions from checklist-driven questionnaires to collaborative threat modelling. Instead of relying on generic assessments, organisations should tailor risk frameworks to the specific technologies, data flows, and integration methods involved.
The focus moves away from point-in-time compliance and toward ongoing visibility into development practices, pre-production environments, and meaningful security metrics.
Buyers should expect (and suppliers should offer) transparency over templated compliance answers.
Solution #4. Build collaborative professional standards
The cyber security profession must mature from individual organisational roles to collaborative thought leadership that drives industry-wide change.
This requires CISOs and security leaders to invest time in professional development activities that extend past their organisational boundaries, including collaborative standard development, knowledge sharing, and collective supplier engagement.
Clyde asks important questions:
How can we integrate thought leadership into daily security roles?
What strategies will motivate information security risk management teams to embrace thought leadership?
How do we encourage thought leadership at all levels within these organisations?
The solution requires:
CISOs collaborating across the industry to drive collective progress.
Individual professionals actively contributing to the development of the field.
A change from viewing security as a role to recognising it as a profession.
Organisations improving their internal practices and participating in broader efforts to set new standards for security transparency.
Only through strengthening individual capabilities while advancing the profession can we create assurance methods that keep pace with modern data exposure risks.
Key takeaways
Here are several critical insights that cyber security professionals can immediately apply to strengthen their vendor risk assessment practices:
Traditional certifications are necessary but insufficient for modern risk assessment, particularly with AI systems requiring unprecedented data access scope that compliance frameworks weren't designed to address.
Multi-layered assurance approaches must supplement compliance reports with ongoing visibility into supplier development practices, pre-production environments, and continuous security metrics.
Developer education and empowerment are critical for bridging the gap between security leadership vision and implementation reality, requiring genuine leadership investment.
Threat modelling should be applied to security assessment processes themselves, not just products, enabling more effective risk identification through collaborative exercises with suppliers.
Solution-specific risk assessment frameworks must replace generic questionnaires to address the unique risks of different technology categories and integration patterns.
Professional collaboration among security leaders is essential for driving industry-wide change that individual organisations cannot achieve alone, requiring a shift from organisational roles to professional thought leadership.
Time and mental capacity must be deliberately created by reducing security stack complexity and data overload, enabling CISOs to focus on meaningful risk assessment rather than compliance theatre.
Success requires individual organisations to invest in more sophisticated assessment approaches while simultaneously participating in industry-wide efforts to establish new standards for security transparency.
Moving forward, security leaders need to be brave enough to go beyond simple compliance and aim for real security transparency. The alternative — sticking with old, insufficient security methods — puts organisations at unacceptable risk.
As Dan and Clyde demonstrate, the solutions exist within the collective wisdom of security professionals willing to think past organisational boundaries and work together to raise professional standards.
This conversation exemplifies the collaborative approach that Chaleit champions, not just through thought leadership content but through genuine cyber security partnerships with clients who share the commitment to elevating security practices beyond compliance.
If these insights resonate with your experience and you're ready to implement more sophisticated vendor risk assessment approaches, we invite you to continue this conversation.
About the authors
Clyde Netto
Clyde Netto is the Regional Head of Technology and Cyber Security for Asia and Emerging Markets at Thomson Reuters. With 24 years of experience in the field, Clyde has held diverse roles in Software Development, Engineering, Cyber Security, Governance, Compliance, and Strategic Leadership.
A Certified Information Systems Security Professional (CISSP) and a Certified Cyber Security Professional recognised by the Australian Computer Society, Clyde is dedicated to developing and securing intelligent systems that enhance and streamline complex legal and tax workflows, driving efficiency in these sectors.
Clyde is also an active member of the Cyber Security community, serving as a Governing Body Member of the Melbourne CIO/CISO Community at Evanta, a Gartner Company, and participating in the CREST Leaders Forum in Australia. As a public speaker, panellist, and thought leader, Clyde is passionate about advancing the field of cyber security.
Dan Haagman
Dedicated to strategic cyber security thinking and research, Dan Haagman is the CEO and founder of Chaleit, a seasoned leader in global cyber security consulting, and an Honorary Professor of Practice at Murdoch University in Perth, Australia.
With nearly 30 years of experience, he began his journey at The London Stock Exchange, where he pioneered the development of their first modern SOC and defensive team. As a co-founder of NotSoSecure and 7Safe, both acquired by reputable firms, Dan has left a lasting impact on the industry.
Today, Dan leads a team of brilliant minds in seven countries, all focused on delivering world-class cyber security consulting. Chaleit reflects Dan's vision for the industry's future. Built on the core principles of longevity and transparency, the company is poised for a public offering within the next few years.
Dan has a passion for learning. With a pen and paper at hand, he dedicates significant time to reading, researching, designing systems, and learning with clients and peers with the goal of being a leading thinker and collaborator in the cyber industry.
Disclaimer
The views expressed in this article represent the personal insights and opinions of Dan Haagman and Clyde Netto. Dan Haagman's views also reflect the official stance of Chaleit, while Clyde Netto's views are his own and do not necessarily represent the official position of his organisation. Both authors share their perspectives to foster learning and promote open dialogue.
