Lean IT means concentrated vendor risk. A one-page triage any executive can run — no security team required.
There's a particular kind of letter crossing executive desks more often lately. It starts: "We are writing to inform you that one of our service providers experienced a security incident…"
The latest round went out in recent weeks, after a healthcare software vendor disclosed a March intrusion that exposed patient data across a large number of client organizations1 — clinics and practices that did nothing wrong except rely on a vendor, which is to say, operate like a modern company. Industry tallies now attribute roughly a quarter of incidents to third-party SaaS applications, and the share keeps climbing.2
If you run a mid-market company, this trend line points directly at you. Here's why — and what to do that doesn't require a security department.
Mid-market companies run lean IT by outsourcing to SaaS — payroll, CRM, ERP, file storage, the specialty application your industry runs on. That's not a weakness; it's usually the correct strategy. A 200-person company should not be running its own email servers.
But every one of those decisions moves your data and your uptime onto someone else's infrastructure, protected by someone else's security budget, disclosed on someone else's timeline. The risk didn't disappear. It concentrated — into a vendor list nobody reads.
When a vendor is breached, three obligations come home to you regardless of whose fault it was:
Your customers. They gave their data to you, not to your vendor. The notification letter goes out on your letterhead.
Your regulators. Disclosure duties — state privacy laws, industry rules, contractual commitments — attach to you. "Our vendor was slow to tell us" is an explanation, not a defense.
Your insurer. Cyber policies increasingly ask how you manage third-party risk. A claim involving a vendor you never assessed invites uncomfortable questions at exactly the wrong moment.
You can delegate the operation. You cannot delegate the accountability.
You don't need a vendor-risk management platform to start. You need a list and an hour with your leadership team. Ask three questions:
Which vendors could stop revenue? If this system went down for a week, what happens to orders, production, payroll?
Which vendors hold data that would trigger a disclosure? Customer PII, employee records, health or financial data.
Which vendors have a door into our environment? Integrations, agents, remote access, admin credentials.
Any vendor that appears on two of those lists is a critical vendor. Most companies find they have five to ten. That's the list that deserves real attention — not the other two hundred.
For that short list, the cheapest risk reduction available is language. At the next renewal — or sooner, if the relationship allows — ask for:
Vendors serving the mid-market hear these requests regularly now. The ones that push back hard on all four are telling you something useful.
Vendor risk isn't a project you complete; it's a question you keep asking, because the vendor list keeps changing. It's a standing item in every stack and team assessment we run — right alongside the systems and the people — because in a lean IT model, your vendors are part of your stack.
The letter that starts "we are writing to inform you" may still arrive someday. The goal is that when it does, it's a process you rehearsed — not a scramble you improvise.
A stack & team assessment covers your systems, your people, and the vendors holding it all together — an honest outside read, in weeks, not quarters.
No SDR layer. We sell expertise, not products.