By Michael Henry, CEO, Accelerynt
In this article:
- You can outsource the function, but never the consequence
- Stop treating vendors as trusted “black boxes”–treat them as extensions of your team
- Don’t ask nicely, test ruthlessly–run social engineering tests against your own vendors
Early in my career, working with Ericsson in Sweden, I noticed a dangerous pattern.
When the organization outsourced a function (e.g., IT, operations, development), there was a cultural assumption that they had also outsourced the worry. If we paid a vendor to do it, the risk was now “theirs.”
I realized the root cause was partly linguistic. In Swedish, the word for “responsible” (doing the task) and “accountable” (owning the consequence) is the same word: ansvar.
Because the word was the same, the distinction didn’t exist. To hand over the task was to hand over the liability.
In the US, we don’t have the linguistic excuse, but we make the exact same mistake. We look at a signed contract and a clean SOC 2 report, and we tell ourselves the ansvar is gone.
But in the eyes of the SEC, the shareholders, and the class-action lawyers, the ansvar never left your building.
The “Black Box” Reality
Here is the truth about outsourcing: You can outsource the function, but you can never outsource the consequence.
Look at Clorox. They outsourced their help desk. When that vendor (allegedly) failed to verify identities during a social engineering attack, Clorox didn’t just get a refund on their service fees. They claimed a $380M financial hit.
The trap is believing that paper protects you.
- A SOC 2 report tells you what controls existed last year.
- A Contract tells you who pays a penalty (usually capped at 1.5x fees) after a breach.
Neither tells you if the agent answering the phone right now is about to hand your admin password to a hacker. And crucially, neither protects your resume when the breach happens.
The Mindset Shift: From “Trust” to “Inspection”
We have to stop treating vendors as “Black Boxes” we feed money into. We must treat them as remote branches of our own security team that require active inspection.
- The Old Mindset (The Trap): “I trust the contract and the audit report.”
- The New Mindset (The Solution): “I must validate their controls as strictly as I validate my own, because their failure is my failure.”
The Path Forward: Break the Black Box
How do you govern a black box? You don’t ask nicely. You test it. The Active Assurance Model applies just as much to your vendors as it does to your internal team.
1. Validate (The “Secret Shopper”) Stop reading their PDF reports. Test them. Run the same “Clorox-style” social engineering tests against your vendor’s help desk that you would run against your own.
- Call them.
- Impersonate an executive.
- Create false urgency.
- See if they crumble.
If they fail, you have immediate, irrefutable leverage. You aren’t arguing about “best practices” or “contract language.” You are holding a smoking gun.
2. Govern (The “Kill Switch”) If you cannot verify their internal process, move the guardrail to your side.
Force the vendor to use your identity tools (where you enforce the hard MFA) or your VDI (where you record the screen). Don’t let them operate in the dark. If they can’t prove they are secure, they don’t get to hold the keys.
The Takeaway
Paper shields don’t stop hackers.
If you rely on a contract to protect you from a help desk breach, you don’t have a partner. You have an unquantified liability ticking on your balance sheet.
Stop Trusting. Start Testing.
Read the full guide on moving from passive trust to active assurance here: The Help Desk Is Now a CISO-Level Liability
About Accelerynt
Accelerynt is a Microsoft-native security operations company, founded and led by practitioners who’ve built enterprise security programs. We build and run SIEM, MDR, and MSSP programs inside our clients’ Microsoft tenants using Sentinel, Defender, and Entra ID.