@gcluley@mastodon.green As someone who tried to do third-party security in several companies, I can tell you that most companies don’t care about it unless they’re forced to do so, by regulation or contract. At best, without those mandates, companies pay lip service. But the incentives are misaligned. If you’re the third-party security guy, you’re viewed as a roadblock. The third party has no incentive to give you visibility into their practices; your company’s sponsor for the third-party relationship has minimal incentive to back you up. Instead, that sponsor usually takes the side of the third party. It is a thankless and frustrating position to be in. (That’s true even if you have strong CISO support, which I was fortunate to have.) When the third party has a breach, the sponsor of that relationship rarely pays any kind of price. Often, they’ve moved on to the next thing. Maybe they even got a promotion out of it.