I never heard of CDK Global. They are a small, niche software provider. They happen to power most of the more than 15,000 car dealerships around the U.S. They would have lived on in anonymity as one of the thousands of interconnected companies comprising a global supply chain of an industry. June 18, 2024, changed that. 

On that day BlackSuit ransomware group breached CDK Global’s network, forcing the software offline, bringing the car dealership industry to a halt. Millions in lost revenue, not to mention headlines and ransomware demands. That’s the day CDK Global leapt onto my (very long) list of examples of why we need to rethink protection of our shared digital infrastructure. 

Every Industry has a CDK Global 

Every sector has its small linchpins that can disrupt entire industries if they go down. Think of the digital lending platform that serves more than a third of global credit unions. A glitch could halt financial transactions worldwide. An outage at a real estate management platform could delay rent and disrupt cash flows for tenants and landlords.  

Verizon’s 2025 Data Breach Investigations Report found that 30% of breaches stem from a third party, double the prior year. The problem is accelerating as organizations increasingly rely on specialized vendors who themselves depend on niche fourth and fifth-party providers. Digital transformation has created a sprawling ecosystem where each of hundreds of direct vendors has its own web of dependencies. Yet most security teams focus exclusively on direct vendor relationships, leaving organizations exposed to cascading risks buried deep in their extended supply chains. 

The Third Parties of Your Third Parties 

Every CISO knows the challenge of managing third-party vendor risk: Too many vendors, too much paperwork, too many bad outcomes on your desk or in the news. And this is just a fraction of your actual attack surface. The problem goes far beyond your own footprint, beyond even your third parties’ footprints. It’s this sprawling, interdependent web of connections that most organizations are still trying to manage with… questionnaires! Which means you’re missing the bulk of the iceberg. 

This network of fourth-, fifth-, and sixth-party dependencies remains completely invisible to traditional risk management approaches. You have no contracts with these companies, no view into their security practices, and no leverage to demand improvements. Yet a vulnerability in any one of them could shut you down. When your cloud provider’s data center relies on a compromised HVAC system, or your payment processor depends on a vulnerable file transfer tool, those hidden relationships become your problem — that you may not know about until something breaks. 

Questioning the Questionnaire 

Traditional risk management relies on point-in-time assessments that assume risk is static. Threat actor activity changes minute by minute while organizations work with questionnaires that are weeks, months, or even years old. If you’re relying on a questionnaire view, you’re missing most of your third- and fourth-party risk. 

Under-Resourced, Very Fatigued 

Third-party risk teams universally lack sufficient resources: not enough people, budget, or time to manage increasing vendors, cyber risks, and regulations. The result is widespread fatigue and skepticism about whether enormous efforts produce meaningful improvements and questions about whether new technology can pave the way to a better approach. 

AI to the Rescue?  

Both a blessing and a curse, the organizations that are truly leveraging AI are unlocking a world of possibilities to monitor, manage, and protect the supply chain that was unthinkable even a few years ago. Here are some very tangible, practical steps those risk and security leaders are taking:   

1. Shift from ‘Some, sometimes’ to ‘All, always.’  AI is quickly solving the challenges of speed and scale. Having gaps in who you monitor or delays in how often you assess their vulnerabilities is no longer excusable. Extend your program to your entire portfolio. Move from periodic assessments to continuous, real-time monitoring of your third, fourth, and nth parties.  
2. Run the wiring to see what’s connected to whom. Understand which vendor assets your business relies on and how far those dependencies cascade through the supply chain. Map what matters most to your operations, align that understanding with current exposure data, then work with your operations teams to treat your most critical connections accordingly.  
3. Prioritize intelligently. Focus resources on vendors with unresolved high-severity vulnerabilities affecting critical assets you rely on. This requires combining multiple intelligence sources — vulnerability databases, threat feeds, security ratings, and incident reports — to build a comprehensive view of where active risks are materializing across your vendor ecosystem.
4. Use your frameworks, but make them dynamic. Lean into your security frameworks but modernize them with real-time insights. They serve as the critical bridge connecting the operational mandate of protection with the governance charter of compliance. But those frameworks need to work in an era of AI. Shared, adaptive, threat-informed… the translation mechanism that gets everyone – or at least those who would have a bad day when your CDK Global hits – on the same page.   

Organizations that survive this shift will be those that can finally see what’s been hidden. Evolve risk management to match modern supply chain complexity, or remain vulnerable to the hidden dependencies that could halt your business overnight.