A strong supplier assessment tells you how a supplier governs itself. An outside-in rating tells you what an attacker can see right now. You need both, and together they make supplier assurance powerful. Here are the nine surfaces the outside-in half brings.
A strong supplier assessment tells you how a supplier governs itself. An outside-in rating tells you what an attacker can see right now. You need both, and together they make supplier assurance powerful. Here are the nine surfaces the outside-in half brings.
A serious supplier-assurance questionnaire is the backbone of any third-party programme. A good one - structured by domain, evidence-backed and scored consistently - tells you how a supplier governs itself: its policies, its controls, its certifications, the things you genuinely cannot see from outside. That work is essential, and nothing here replaces it.
But governance is only one of two questions. The other is: what does this supplier look like to an attacker, right now? Any assessment is answered from the inside and at a point in time. It cannot see the forgotten edge appliance, the expired certificate, the admin portal exposed last week, or the credentials already for sale on a dark-web market. That is a different question, and it needs a different lens.
An outside-in rating answers that second question. Instead of asking the supplier what they do, it looks at what is observable from the public internet - the same vantage point an attacker starts from. No agent and no permission required, because none of it is intrusive: it is passive analysis of what the supplier has already published to the world.
Done properly, that observation resolves into nine distinct security surfaces.
Each surface answers a different question an attacker would ask:
Nine surfaces is a lot to hold across hundreds of suppliers, so the outside-in view collapses into a single, severity-weighted A-F grade you can read in a second - and drill into when it looks wrong: which surface dragged it down, which finding drove it, what the trend has been. That grade sits alongside the assessment score; it does not replace it. One tells you how the supplier governs itself, the other tells you what an attacker sees.
Where the two disagree is where the value is. A confident assessment and a failing external grade should never quietly coexist - and on one platform, that contradiction is visible. Visible contradictions get fixed.
This is the real point. Supplier assurance is powerful when a platform does both halves well: a state-of-the-art assessment for the inside-out view of how a supplier governs itself, and continuous outside-in scanning for the attacker’s view - fused into one calibrated signal per supplier.
Neither half wins. The assessment brings depth the outside can never show; the rating brings the live, external reality the inside can never see. Run them together and a supplier’s risk stops being a snapshot or a guess and becomes a current, defensible picture.
A good programme rates every supplier continuously, prioritises findings by whether they are actually being exploited - EPSS scores and the CISA Known Exploited list, not raw CVSS - and ties a weak grade back to the business services that supplier underpins, so a failing rating becomes a continuity question, not just a security one.
Done that way, supplier assurance stops being either a stack of questionnaires or a wall of external scores. It becomes one platform that answers both questions at once - how a supplier governs itself, and what an attacker can see - and keeps answering them as the world changes.
Occasional, practical notes on UK public-sector cyber risk and compliance. No spam, unsubscribe anytime.
A 30-minute walkthrough on your suppliers - the live platform, no slides.