BSides Vancouver 2026

Most organizations invest heavily in securing their own networks, identities, and endpoints — yet depend on dozens or hundreds of external vendors to operate day-to-day. In practice, some of the most sensitive data and critical processes live outside the organization’s direct control. Attackers know this and increasingly target third parties, service providers, and support channels as the path of least resistance.
This talk draws on real-world risk assessment experience to examine how trust in vendors is established, where it breaks down, and why common assurance mechanisms often fail to reflect actual exposure. Certifications, questionnaires, and contractual clauses can create a sense of comfort, but they do not prevent misconfigurations, credential compromise, insider threats, or cascading failures across interconnected systems.

We will look at practical scenarios where vendor relationships introduced unexpected risk — from privileged access and data handling practices to hidden subcontractors and opaque technology stacks. The session will also discuss how emerging dependencies on AI services and automated decision systems complicate accountability and visibility even further.

The goal is not to criticize vendors, but to provide a realistic framework for evaluating trust in environments where organizations must rely on infrastructure they do not own and cannot fully audit. Attendees will gain practical considerations for identifying high-risk relationships, improving due diligence conversations, and preparing for incidents that originate outside their perimeter.
This session is intended for security practitioners, risk professionals, architects, and leaders responsible for safeguarding systems that depend on third-party services.