A 14-Year Pattern of Missed Connections
In April 2010, I interviewed Richard Stiennon, founder of IT-Harvest and one of the industry’s top cybersecurity experts, about the emerging threat of cyberattacks.
Stiennon’s recommendation was prescient:
“The best way to deal with the threat of a cyberattack is using economic levers as the primary deterrent mechanism by increasing the costs for the attackers through the improvement of defenses.”
Karen S. Evans, former federal CIO under the Bush administration, called for similar vigilance:
“Focus on continuous monitoring and situational awareness by creating an early-warning system that could sniff out attacks.”
That was 14 years ago.
Today, in 2025, I’m writing the same warning—but with a critical addition most cybersecurity discussions still miss:
The biggest gateway to enterprise cyber breaches isn’t your firewall, your encryption, or your perimeter security.
It’s procurement.
The Pogo Problem: “We Have Met the Enemy, and He Is Us”
There’s a famous Pogo cartoon where the character, looking into a mirror, proclaims: “We have met the enemy, and he is us.”
In August 2023, I explored this dynamic in procurement and cybersecurity contexts. The statistics are sobering:
2017: “95 Percent of Enterprises Found Employees To Bypass Security Controls.” — DTEX Systems
2023: “74% of employees said they would bypass cybersecurity guidance if it helped them or their team achieve a business objective.” — Help Net Security
Let that sink in: Three-quarters of your employees will circumvent security policies when those policies interfere with getting work done.
This isn’t malicious. It’s pragmatic.
And it’s why rigid, command-driven security controls fail—even when the underlying technology (RSA encryption, authentication systems, access controls) is perfect.
The Story Everyone in Procurement Recognizes
Before you dismiss this as “other people’s problem,” consider this story that’s been circulating in procurement circles:
An old lady handed her bank card to the teller and said “I would like to withdraw $10”. The teller told her “for withdrawals less than $100, please use the ATM.”
The old lady wanted to know why. The teller irritably told her “these are the rules, please leave if there is no further matter.”
The old lady remained silent, then handed her card back and said “please help me withdraw all the money I have.”
The teller was astonished when she checked the account balance: $1,300,000. She respectfully told her “you have $1,300,000 in your account but the bank doesn’t have that much cash currently. Could you make an appointment and come back tomorrow?”
The old lady asked how much she could withdraw immediately. The teller said any amount up to $3000.
“Well please let me have $3000 now.” The teller kindly handed over $3000 with a smile.
The old lady put $10 in her purse and asked the teller to deposit $2,990 back into her account.
The moral: Don’t be difficult with people who’ve spent a lifetime learning how to work around rigid policies.
The procurement reality: Longtime procurement professionals know every workaround, every bypass, every exception process.
The security implication: If your security policies are rigid enough to interfere with procurement workflows, they WILL be bypassed—creating the very vulnerabilities they’re meant to prevent.
Who Is “Us”? The Third-Party Problem
According to UpGuard:
“Third-party risk is any risk brought on to an organization by external parties in its ecosystem or supply chain. Such parties may include vendors, suppliers, partners, contractors, or service providers, who have access to internal company or customer data, systems, processes, or other privileged information.”
Translation: Your suppliers have access to your systems. And you—procurement—control that access.
The track record is damning:
2014: Target breach caused by lax security at an HVAC vendor
2017-2019: Multiple breaches through third-party service providers with virtual access to information systems
2022: Supply chain attacks spike as attackers target software vendors
2023: “84% of leaders believe that software supply chain attacks could become one of the biggest cyber threats” — CrowdStrike
The pattern is clear. The solution isn’t.
Because most organizations still treat this as an IT problem when it’s fundamentally a PROCUREMENT problem.
Why Procurement? Because You Control the Gateway
Your IT team secures YOUR infrastructure:
- Firewalls ✓
- RSA encryption ✓
- Strong authentication ✓
- Monitored networks ✓
Your procurement team determines WHO accesses that infrastructure:
- Which suppliers get credentials?
- What systems can they access?
- For how long?
- With what level of privilege?
- Under what monitoring?
If procurement gives 500 suppliers permanent, unmonitored access with weak authentication, your IT team’s perfect RSA encryption is meaningless.
The breach doesn’t come through your firewall. It comes through Supplier #247’s reused password from a phishing email.
And procurement approved that access.
The Dwell Time Problem: How Long Before You Notice?
As a procurement professional, do you know what “dwell time” is?
You should. You have to.
Dwell time: The period between when an attacker gains access and when the breach is detected.
Industry average dwell time: 200+ days
Translation: For 6+ months, attackers are inside your systems—potentially through supplier credentials you approved—before anyone notices.**
Karen Evans called for “continuous monitoring and situational awareness” in 2010.
14 years later, most procurement systems still don’t have:
- Real-time behavioral monitoring of supplier access
- Anomaly detection for unusual procurement data queries
- Automated alerts when supplier credentials used outside normal patterns
- Audit trails showing WHO accessed WHAT and WHEN
Why not?
Because procurement technology hasn’t been viewed as a security concern—it’s been viewed as a workflow efficiency tool.
That’s changing. Slowly. But organizations are still playing catch-up from attacks that happened years ago.
What Changed Between 2010 and 2024?
Let me compare what I documented in 2010 vs. what I’m seeing in 2024:
What HASN’T changed: The disconnect between procurement’s role and cybersecurity responsibility.
What HAS changed: The stakes. Every day without addressing this gap increases risk exponentially.
The Policy Bypass Reality: Why Rigid Security Fails
Back to those statistics:
- 95% of enterprises found employees bypassing security controls
- 74% of employees admit they’d bypass cybersecurity guidance for business objectives
Why does this happen?
Not because employees are reckless. Because security policies are often:
- ❌ Rigid (command-driven interfaces requiring exact steps)
- ❌ Friction-heavy (multiple authentication steps for routine tasks)
- ❌ Context-blind (same security for low-risk and high-risk actions)
- ❌ Time-consuming (deadline pressure overrides security compliance)
The result: Employees find workarounds. Just like the old lady at the bank.
In procurement:
- Shadow procurement (bypassing official channels)
- Credentials shared between users (to avoid authentication hassles)
- Policies ignored when suppliers complain about access restrictions
- “Just this once” exceptions that become permanent practice
Each workaround opens the gateway wider.
What “Raising Attacker Costs” Actually Means
Remember Stiennon’s 2010 recommendation?
“Using economic levers as the primary deterrent mechanism by increasing the costs for the attackers through the improvement of defenses.”
Here’s what that means in 2024 procurement context:
LOW attacker cost (easy target):
- Supplier credentials never expire
- No multi-factor authentication
- No behavioral monitoring
- No anomaly detection
- Permanent access to all procurement data
- No audit trails
HIGH attacker cost (hard target):
- Time-limited supplier credentials (48-hour access windows)
- Multi-factor authentication required
- Behavioral baseline monitoring (flags unusual access patterns)
- Least-privilege access (suppliers see only relevant data)
- Automated audit trails (every action logged and analyzable)
- Real-time alerts on anomalies
The difference: Low-cost targets get breached. High-cost targets don’t—attackers move to easier victims.
Your procurement platform determines which category you’re in.
The Framework: Why This Is Multiplicative, Not Additive
Perfect encryption (RSA) × Poor access governance = Breach waiting to happen
Here’s the math:
Technical Capability (RSA encryption): 8.0/10 ✓
- Strong encryption standards
- Secure data transmission
- Perfect technical implementation
Behavioral Alignment (user compliance): 6.5/10 ❌
- 74% bypass security policies when convenient
- Rigid interfaces create friction
- Users share credentials to avoid hassle
Readiness Compensator (governance): 6.0/10 ❌
- No supplier access monitoring
- Permanent credentials (not time-limited)
- No behavioral anomaly detection
- Weak audit trails
Result: 8.0 × 6.5 × 6.0 = 312 (31.2% of potential security realized)
You have perfect encryption protecting 31% of your actual attack surface.
The other 69%? The procurement gateway.
What This Means for Procurement Professionals
In 2010, I interviewed cybersecurity experts about emerging threats.
In 2024, I’m writing to procurement professionals about existing responsibilities.
Because somewhere between 2010 and 2024, procurement became the cybersecurity front line—and most organizations haven’t told you yet.
You control:
- Which suppliers get system access
- What data they can see
- How long they retain access
- What authentication they need
- Whether anyone monitors their activity
Every one of those decisions is a security decision.
Not an IT decision. A procurement governance decision.
And if your procurement platform has:
- ❌ Rigid, command-driven interfaces (users bypass)
- ❌ No behavioral monitoring (can’t detect breaches)
- ❌ Permanent supplier access (attack window never closes)
- ❌ Weak authentication (credentials easily compromised)
Then you’re not just failing at procurement efficiency. You’re failing at cybersecurity.
Tomorrow: The Solution
This article establishes the problem: Procurement is the biggest gateway to cyber breaches, and the industry has documented this for 14 years without fundamentally addressing it.
Tomorrow, I’ll explore the solution: Why conversational interfaces combined with embedded governance can achieve what rigid command-driven security can’t—actual compliance instead of security theater.
The key insight: When security is embedded in natural workflow (conversational interfaces), users comply. When it’s an obstacle (command-driven policies), users bypass.
That’s not a technology problem. That’s a behavioral alignment problem.
And behavioral alignment is exactly what procurement transformation requires.
The 14-Year Pattern
I’ve been writing about this since 2010.
Target got breached in 2014.
CrowdStrike reports 84% of leaders see supply chain as top cyber threat in 2023.
And most organizations still separate procurement from cybersecurity discussions.
How many more years? How many more breaches?
The answer isn’t better firewalls or stronger encryption.
The answer is procurement governance that raises attacker costs by making supplier access:
- Time-limited (not permanent)
- Monitored (behavioral baselines)
- Least-privilege (need-to-know basis)
- Audit-trailed (every action logged)
- Conversationally embedded (so users don’t bypass)
That’s the “improvement of defenses” Stiennon recommended in 2010.
14 years later, it’s still the right answer.
Are we finally ready to implement it?
#Cybersecurity #Procurement #SupplyChain #ThirdPartyRisk #DataBreach #RiskManagement #DigitalTransformation #ProcurementLeadership
30
BONUS COVERAGE
Procurement Insights
Why Procurement Is the Biggest Gateway to Cyber Breaches—And Most Organizations Still Don’t See It
Posted on October 14, 2025
0
A 14-Year Pattern of Missed Connections
In April 2010, I interviewed Richard Stiennon, founder of IT-Harvest and one of the industry’s top cybersecurity experts, about the emerging threat of cyberattacks.
Stiennon’s recommendation was prescient:
Karen S. Evans, former federal CIO under the Bush administration, called for similar vigilance:
That was 14 years ago.
Today, in 2025, I’m writing the same warning—but with a critical addition most cybersecurity discussions still miss:
The biggest gateway to enterprise cyber breaches isn’t your firewall, your encryption, or your perimeter security.
It’s procurement.
The Pogo Problem: “We Have Met the Enemy, and He Is Us”
There’s a famous Pogo cartoon where the character, looking into a mirror, proclaims: “We have met the enemy, and he is us.”
In August 2023, I explored this dynamic in procurement and cybersecurity contexts. The statistics are sobering:
2017: “95 Percent of Enterprises Found Employees To Bypass Security Controls.” — DTEX Systems
2023: “74% of employees said they would bypass cybersecurity guidance if it helped them or their team achieve a business objective.” — Help Net Security
Let that sink in: Three-quarters of your employees will circumvent security policies when those policies interfere with getting work done.
This isn’t malicious. It’s pragmatic.
And it’s why rigid, command-driven security controls fail—even when the underlying technology (RSA encryption, authentication systems, access controls) is perfect.
The Story Everyone in Procurement Recognizes
Before you dismiss this as “other people’s problem,” consider this story that’s been circulating in procurement circles:
An old lady handed her bank card to the teller and said “I would like to withdraw $10”. The teller told her “for withdrawals less than $100, please use the ATM.”
The old lady wanted to know why. The teller irritably told her “these are the rules, please leave if there is no further matter.”
The old lady remained silent, then handed her card back and said “please help me withdraw all the money I have.”
The teller was astonished when she checked the account balance: $1,300,000. She respectfully told her “you have $1,300,000 in your account but the bank doesn’t have that much cash currently. Could you make an appointment and come back tomorrow?”
The old lady asked how much she could withdraw immediately. The teller said any amount up to $3000.
“Well please let me have $3000 now.” The teller kindly handed over $3000 with a smile.
The old lady put $10 in her purse and asked the teller to deposit $2,990 back into her account.
The moral: Don’t be difficult with people who’ve spent a lifetime learning how to work around rigid policies.
The procurement reality: Longtime procurement professionals know every workaround, every bypass, every exception process.
The security implication: If your security policies are rigid enough to interfere with procurement workflows, they WILL be bypassed—creating the very vulnerabilities they’re meant to prevent.
Who Is “Us”? The Third-Party Problem
According to UpGuard:
Translation: Your suppliers have access to your systems. And you—procurement—control that access.
The track record is damning:
2014: Target breach caused by lax security at an HVAC vendor
2017-2019: Multiple breaches through third-party service providers with virtual access to information systems
2022: Supply chain attacks spike as attackers target software vendors
2023: “84% of leaders believe that software supply chain attacks could become one of the biggest cyber threats” — CrowdStrike
The pattern is clear. The solution isn’t.
Because most organizations still treat this as an IT problem when it’s fundamentally a PROCUREMENT problem.
Why Procurement? Because You Control the Gateway
Your IT team secures YOUR infrastructure:
Your procurement team determines WHO accesses that infrastructure:
If procurement gives 500 suppliers permanent, unmonitored access with weak authentication, your IT team’s perfect RSA encryption is meaningless.
The breach doesn’t come through your firewall. It comes through Supplier #247’s reused password from a phishing email.
And procurement approved that access.
The Dwell Time Problem: How Long Before You Notice?
As a procurement professional, do you know what “dwell time” is?
You should. You have to.
Dwell time: The period between when an attacker gains access and when the breach is detected.
Industry average dwell time: 200+ days
Translation: For 6+ months, attackers are inside your systems—potentially through supplier credentials you approved—before anyone notices.**
Karen Evans called for “continuous monitoring and situational awareness” in 2010.
14 years later, most procurement systems still don’t have:
Why not?
Because procurement technology hasn’t been viewed as a security concern—it’s been viewed as a workflow efficiency tool.
That’s changing. Slowly. But organizations are still playing catch-up from attacks that happened years ago.
What Changed Between 2010 and 2024?
Let me compare what I documented in 2010 vs. what I’m seeing in 2024:
What HASN’T changed: The disconnect between procurement’s role and cybersecurity responsibility.
What HAS changed: The stakes. Every day without addressing this gap increases risk exponentially.
The Policy Bypass Reality: Why Rigid Security Fails
Back to those statistics:
Why does this happen?
Not because employees are reckless. Because security policies are often:
The result: Employees find workarounds. Just like the old lady at the bank.
In procurement:
Each workaround opens the gateway wider.
What “Raising Attacker Costs” Actually Means
Remember Stiennon’s 2010 recommendation?
Here’s what that means in 2024 procurement context:
LOW attacker cost (easy target):
HIGH attacker cost (hard target):
The difference: Low-cost targets get breached. High-cost targets don’t—attackers move to easier victims.
Your procurement platform determines which category you’re in.
The Framework: Why This Is Multiplicative, Not Additive
Perfect encryption (RSA) × Poor access governance = Breach waiting to happen
Here’s the math:
Technical Capability (RSA encryption): 8.0/10 ✓
Behavioral Alignment (user compliance): 6.5/10 ❌
Readiness Compensator (governance): 6.0/10 ❌
Result: 8.0 × 6.5 × 6.0 = 312 (31.2% of potential security realized)
You have perfect encryption protecting 31% of your actual attack surface.
The other 69%? The procurement gateway.
What This Means for Procurement Professionals
In 2010, I interviewed cybersecurity experts about emerging threats.
In 2024, I’m writing to procurement professionals about existing responsibilities.
Because somewhere between 2010 and 2024, procurement became the cybersecurity front line—and most organizations haven’t told you yet.
You control:
Every one of those decisions is a security decision.
Not an IT decision. A procurement governance decision.
And if your procurement platform has:
Then you’re not just failing at procurement efficiency. You’re failing at cybersecurity.
Tomorrow: The Solution
This article establishes the problem: Procurement is the biggest gateway to cyber breaches, and the industry has documented this for 14 years without fundamentally addressing it.
Tomorrow, I’ll explore the solution: Why conversational interfaces combined with embedded governance can achieve what rigid command-driven security can’t—actual compliance instead of security theater.
The key insight: When security is embedded in natural workflow (conversational interfaces), users comply. When it’s an obstacle (command-driven policies), users bypass.
That’s not a technology problem. That’s a behavioral alignment problem.
And behavioral alignment is exactly what procurement transformation requires.
The 14-Year Pattern
I’ve been writing about this since 2010.
Target got breached in 2014.
CrowdStrike reports 84% of leaders see supply chain as top cyber threat in 2023.
And most organizations still separate procurement from cybersecurity discussions.
How many more years? How many more breaches?
The answer isn’t better firewalls or stronger encryption.
The answer is procurement governance that raises attacker costs by making supplier access:
That’s the “improvement of defenses” Stiennon recommended in 2010.
14 years later, it’s still the right answer.
Are we finally ready to implement it?
#Cybersecurity #Procurement #SupplyChain #ThirdPartyRisk #DataBreach #RiskManagement #DigitalTransformation #ProcurementLeadership
30
BONUS COVERAGE
Share this:
Related