Collective irresponsibility in the supply chain: Why information security often fails during supplier onboarding

In theory, it sounds simple: suppliers are selected according to defined criteria, risks are assessed and then selected. In practice, things are usually different. Especially when onboarding suppliers, there is often a pattern of collective irresponsibility – everyone in the company assumes that “the others” will take care of the details. The result: a bureaucratic process that may look convincing on PowerPoint, but is neither efficient nor effective.

The problem: “The parent company takes care of it”

I often observe that responsibilities are unclear when onboarding suppliers. Each department assumes that someone else will take responsibility. Reference is also often made to corporate or group guidelines with the comment that someone will take care of it.

As cybersecurity is an important part of working with external suppliers, questionnaires on information security are often sent out by external service providers, completed and returned by the supplier – but no one really checks what it says and whether the information matches the company’s risk level. The assessment is often purely formal, without taking into account the supplier’s context of use. The result is a tick-box mentality in which ticking off standard questions is more important than actually understanding the risks.

Bureaucracy instead of practiced information security

The use of standard questionnaires – often randomly copied from third-party sources by less competent clerks after a brief web search – and the outsourcing of the assessment to external service providers mean that key questions often remain unanswered:

• What role does the supplier actually play in the business process?
• Which data or systems are affected?
• And what specific (information security) risks does this entail?

Without this contextual information, the risk assessment remains superficial. The process looks neatly documented on the outside, but risks are not actually identified or addressed appropriately. Compliance becomes a mere formality that neither provides protection nor builds trust.

Why this is dangerous

The supply chain of today’s companies has long since become a central gateway for cyber attacks and other risks. Attackers specifically exploit weak links in the chain to gain access to sensitive data and systems. Companies often rely on certifications such as ISO 27001 or SOC 2 – although these show that standards are being adhered to, they often say little about the actual security situation or current threats.

Misguided onboarding leads to undiscovered vulnerabilities with third-party providers, unclear responsibilities in the event of an emergency and ineffective processes for dealing with incidents.

How to do it better: recommendations for effective supplier onboarding

The following tips can be implemented without much effort:

1. Define clear responsibilities: Each department must know what role it plays in the onboarding process – from IT to purchasing to the specialist department.
2. Context-based risk assessment: Instead of standard questionnaires, individual risks and deployment scenarios should be considered. This is the only way to derive truly relevant measures.
3. Use digital tools in a targeted manner: Modern onboarding solutions can help to structure processes and create transparency – but they are no substitute for thinking about individual cases.
4. Promote collaboration and communication: Suppliers need to understand what requirements apply and why. Training, feedback and regular coordination are crucial for successful collaboration.
5. Continuous review and adaptation: Risks in the supply chain are constantly changing. Onboarding is not a one-off act, but an ongoing process that needs to be regularly reviewed and adapted.

However, the most important thing is that the defined responsibilities are recognized and lived by the people in the company. Otherwise, the following still applies: “it only works on PowerPoint!”

Conclusion

Collective irresponsibility in supplier onboarding is a real risk for information security and therefore for the organization. Only when companies clearly regulate responsibilities, design processes based on context and promote collaboration will the often bureaucratic tick box process become an effective risk management tool. Otherwise, everything remains the same: Pretty slides, little substance – and a supply chain that breaks at the first real attack.