Episode 52: Different services within the cyber supply chain

Cyber security programmes rely on a wide range of suppliers, partners and specialists. For procurement teams, knowing who does what in this supply chain is essential. Let's explore each layer of the cyber security supplier landscape, how organisations interact with them and why choosing the right partner depends on understanding capability, architecture and long-term needs.

Starting with resellers in the supply chain

At the base of the cyber supply chain are resellers. These companies sell security products, often without providing much extra configuration or service. While resellers still exist, they are less common than they once were because most suppliers now earn more value from implementation and ongoing service.

Their main strength lies in navigating complex licensing. Many organisations rely on them to understand software licensing models and ensure they buy only what they need, avoiding situations where unfamiliarity leads to poor purchasing decisions.

In recent years, major vendors have increasingly pushed cloud-native, subscription-based versions of their software. This shift introduces new challenges. Organisations face greater risk of vendor lock-in, and architectural flexibility becomes harder to maintain. Large enterprises are now actively designing systems to avoid dependency on a single cloud provider and, in some cases, are required by regulation to plan for cloud exit strategies. Multi-cloud deployments often mean taking more responsibility for the architecture rather than relying on fully managed cloud services.

Procurement teams therefore need suppliers who understand this complexity and can support architectural decisions that remain portable, maintainable and compliant.

Working with consultants and specialist contractors

Consultants and contractors form the next layer of the supply chain. They bring specialist skills and often command premium rates, particularly in cyber security. Certifications such as CISSP help demonstrate breadth of knowledge, allowing procurement teams to validate a consultant’s capability when they do not know them personally.

However, the large number of security certifications can lead to unrealistic job specifications that list every qualification found online. This usually reflects unclear requirements.

A better approach is to establish the actual needs of the security programme. Involving consultants early helps shape the priorities, define the architecture and ensure the programme is based on capability rather than individual preferences for certain tools or dashboards.

A common challenge is continuity. Many IT functions operate on a project-based resourcing model, where teams assemble to deliver a task and disband afterwards. This means new faces often provide advice without full context of how systems interconnect. Without retained internal knowledge, organisations risk paying more later when urgent projects arise.

Implementation partners and managed security service providers

Once requirements and designs are defined, organisations often work with implementation partners to configure and deploy security tooling. This includes buying equipment, installing systems and assisting with transition.

A major part of the security services market is managed security service providers, or MSSPs. These partners can operate a security operations centre on behalf of the organisation. They are often used when:

• auditors or regulators have identified gaps in security maturity

• internal teams lack the resources or expertise to run security operations

• temporary support is needed while hiring or upskilling permanent staff

• the organisation is too small to justify its own security team

MSSPs provide capability and rapid improvement, but they introduce more complex procurement considerations. Service level agreements, commercial value, integration with existing IT processes and clarity around responsibilities must all be understood before signing a contract.

As with SaaS services, if SLAs are not met, organisations should expect formal service reviews and appropriate service credits.

Penetration testing and red teaming

Penetration testing plays an important role before new systems go live. It involves a practical assessment of vulnerabilities, with testers attempting to break into systems and providing a report of issues to resolve before real users access the service. Pen tests are usually purchased per engagement, although larger organisations may retain a provider.

Only a small portion of production systems are typically deemed critical enough for full penetration testing. The rest are supported through automated approaches, such as dynamic application security testing or web application scanning, which help monitor both on-premise and cloud-based perimeters.

Red teaming extends this by simulating more realistic adversarial attacks to test an organisation’s detection and response capabilities.

Managing the attack surface

Modern estates change too quickly to be tracked manually. Attack surface management tools continuously scan for assets owned by the organisation, matching them through public records and feeding them into vulnerability management processes. With cloud services expanding rapidly, this monitoring has become essential.

This also affects mergers and acquisitions, where asset ownership and exposure need to be transferred correctly.

For procurement teams, understanding the size and shape of the attack surface is critical. Without clarity, they risk buying tools or services that cannot meet the organisation’s real needs.

Bringing the layers together

Across resellers, consultants, MSSPs, testers and attack surface management providers, the cyber security supply chain is broad and interconnected. Procurement teams will interact with many of these supplier types through the lifecycle of a security programme. Understanding what each does, and what the organisation truly needs, enables better decisions and avoids unnecessary cost.

For organisations looking to strengthen their cyber security procurement approach, get in touch.