The Threat-First Mindset: Building Operational Resilience Against Cyber Risk

When I talk to boards and procurement leaders about cyber risk, I start from a simple idea:  cybersecurity is not just an internal hygiene issue, it is a core part of how you choose, design and operate the products and services your business relies on.

For me, a threat first mindset means this: from day one, you assume that someone, somewhere, will try to misuse, attack or abuse the products and suppliers you depend on, and you treat that assumption as a design requirement for your ecosystem. Not a tidy up exercise after contracts are signed. It is about putting cyber risk on the same footing as price, service quality and commercial outcomes.

That sounds obvious, but it is not how most organisations actually make decisions.

Why cyber risk sits at the centre of commercial strategy

We are past the point where a cyber incident is mostly an IT headache. Allianz’s latest risk barometer puts cyber incidents as the number one global business risk, ahead of supply chain disruption and macroeconomic shocks. In a similar vein, recent studies put the average cost of a data breach close to £3.5 million with ransom payments for larger firms often in the seven figures.

Three structural shifts sit behind this. Remote and hybrid work, plus heavy cloud and SaaS use, have blown open the traditional perimeter.

At the same time, attacker capability has improved, with phishing, password attacks and ransomware all rising, often amplified by generative AI. If you are responsible for procurement or supply chain, you are already managing cyber risk, whether you intend to or not.

What a threat-first mindset looks like in practice

So how should you think about a threat first mindset in a practical sense? In my experience, five habits make all the difference.

1. Start from realistic threat scenarios, not only from policy documents
   Instead of asking “Do we have a security clause in the contract?”, start by asking “If this supplier is compromised, what is the worst credible outcome for us?”. Could they disrupt operations, expose sensitive data, alter financial flows, or damage customers? Map a small number of concrete scenarios and work backwards from there into requirements.
   
   
2. Treat security as a core selection and design criterion
   When you shortlist vendors or decide how to integrate a new product, evaluate their security posture alongside functionality and cost. Ask how they authenticate users, manage access, patch systems, handle incidents and protect your data. A slightly more expensive supplier with strong security and transparency often has a better true total cost of ownership than a cheap provider that regularly suffers outages or incidents.
   
   
3. Assume compromise is possible and focus on containment
   Threat-first does not mean you expect perfection. It means you plan for failure. You look at how easily an incident at a supplier could spread into your environment and how quickly you would spot it. Segmentation, least privilege access for integrations, and clear technical boundaries between you and your suppliers are just as important as the supplier’s internal controls.
   
   
4. Use data (not only questionnaires) to judge risk
   Traditional security questionnaires still have a place, but they are static and self-reported. A threat-first approach complements them with observable signals such as external security ratings, evidence of exposed services, patching behaviour, leaked credentials, public incidents and regulatory actions. That gives you a more objective view of who you are trusting.
   
   
5. Make cyber risk a shared responsibility across functions
   Procurement, security, legal, data, finance and operations all have a stake. I have seen the best results where cyber risk in the supply chain is owned by a cross- functional group, with clear risk appetite and decision rules, rather than bounced between teams as a late-stage blocker.
   
   

The shift here is subtle but important.

Turning frameworks into a working model

Security frameworks such as ISO 27001, NIST CSF or sector specific schemes are useful, but on their own they will not tell you which supplier to trust or which integration to delay. The value comes when you translate them into a practical operating model.

For procurement and supply chain teams, I usually suggest four building blocks.

• Risk tiering for suppliers
  Not every vendor needs the same level of scrutiny. Classify suppliers based on what they can access or disrupt. Those who handle sensitive data, connect into core systems or provide critical services should sit in a higher tier with deeper due diligence, contractual commitments and continuous monitoring. Low impact suppliers can follow a lighter path.
  
  
• Standardised but risk-based security requirements
  Develop a small, standard set of security expectations aligned to your frameworks, then scale them by tier. For high tier suppliers, you might require independent certification, regular penetration testing, detailed incident reporting and evidence of secure development practices. For lower tiers, you may focus on basic controls such as multi factor authentication and patching.
  
  
• Integrated decision making
  Build cyber review into your procurement and change processes at defined gates. For example, before contract signature for a high tier supplier, security and data protection leads should formally sign off the risk position. Before go-live, technical teams should confirm that integrations respect your segmentation and access design.
  
  
• Clear response playbooks for supplier incidents
  When, not if, a key supplier has an incident, you will not have time to invent a process. Agree in advance how you will be notified, what evidence you need, how you will assess impact, and what conditions might trigger suspension, migration or contract review. This is as much a commercial tool as a technical one.
  
  

This is where frameworks become practical. They inform the questions you ask and the thresholds you set, but your operating model decides how you act when the answers are uncomfortable.

Combining cyber signals and business signals

A lot of my work at Company Watch focuses on how external data can help organisations stay ahead of risk, but the point is not the tools themselves, it is what you can do with the signals they provide.

On the cyber side, continuous outside-in assessment is now realistic at scale. For example, a Cyber Risk Report generated by Company Watch can provide security risk scores for all UK and Irish domains, using a weighted mix of over 200 measurements across 10 core cyber risk factors.

Behind the scenes, this kind of assessment scans the entire IPv4 webspace at a regular cadence, attributes IP addresses to domains to build digital footprints, and ingests around 1.5 terabytes of security relevant data every day from sensors and open sources. The result is a non-intrusive, outside-in view of how exposed an organisation appears, updated daily without needing access to its internal systems.

For a procurement or supply chain team, that means you do not have to rely only on self-reported questionnaires. You can benchmark a potential supplier’s observable security posture against peers, track whether a key partner’s score is trending up or down, and flag sudden changes that might justify a deeper conversation before you commit to a major integration.

Alongside that, you can bring in broader Vigilance™ signals that sit outside pure cyber. In our work, we track around 25 abnormal behaviour indicators across 14 million annual Companies House filings covering 5 million UK corporate entities. This includes identifying thousands of small, frequent changes in accounting reference date, multiple filings of accounts in quick succession, “too good to be true” financials, tens of thousands of cases of mass director resignations, large numbers of companies with entirely non-UK boards, and many with possibly non-compliant persons of significant control.

None of these signals tell you on their own that a supplier is unsafe, but together they help you ask better questions. A company with a weak cyber score and a pattern of unusual filings or governance changes deserves different treatment from one with strong technical health and stable fundamentals.

In practice, the value of combining cyber ratings and Vigilance™ data is not the score on the front page, it is the decisions it supports. For example:

• Which high impact suppliers should we prioritise for deeper due diligence this quarter?
  
  
• Where do we need tighter technical controls or contractual protections before going live?
  
  
• Which existing relationships should move onto a watchlist because their risk profile has shifted?
  
  

Used this way, data and intelligence do not replace human judgement or local knowledge, but they stop you treating every supplier the same. They help you focus on a limited time and budget where the risk, and the leverage, is greatest.

What a procurement or supply chain professional can do next

If you are reading this from a procurement or supply chain role, my practical suggestions would be:

• Work with your security and risk colleagues to define a clear cyber risk appetite for suppliers, with concrete examples of what is acceptable and what is not.
  
  
• Introduce a simple tiering model for vendors based on impact and align due diligence depth and monitoring effort to those tiers.
  
  
• Add a small number of external signals into your review process, at minimum an outside-in security assessment and a basic governance check for higher impact suppliers.
  
  
• Make sure technical design decisions support your commercial intent: segment integrations, restrict access, and log activity so you can spot unusual behaviour from third parties.
  
  
• Run at least one tabletop exercise that assumes a critical supplier suffers a major cyber incident, and test what you would actually do.
  
  

None of these steps require perfection or huge budgets. They are about treating cyber risk as a visible, managed part of your supplier strategy.

Some closing thoughts

For me, a threat first mindset in the context of procurement and supply chains is not about fear, and it is not about buying every security tool on the market. It is about being honest about how modern attacks work, accepting that your ecosystem is only as strong as its weaker links, and using data, design and governance to manage that reality.

If you do that well, you not only reduce the likelihood and impact of serious incidents, you also become a more reliable partner. Customers and regulators increasingly look for evidence that you understand and manage your extended risk. A thoughtful, threat-first approach across your suppliers is one of the clearest signals you can send that you take that responsibility seriously.