Vendor diversification (ITSAP.10.006)

Modern enterprise systems often depend on a variety of complex architectures and technologies to achieve an organization's core mission and objectives. These systems rely on direct and indirect supply chains as well as vendor relationships, which can expose the business to mission-critical risks.

Your organization can incorporate diversification strategies into its supply chain risk management (SCRM) processes. This will help mitigate risks to mission-critical objectives and reduce vulnerabilities associated with over-dependence on a single vendor or dominant technology stack. All security controls referenced in this guidance are documented in our publication Cyber security and privacy risk management - A lifecycle approach Security and privacy controls (ITSP.10.033).

On this page

Vendor diversification

Vendor diversification refers to the strategy of engaging a wide range of vendors and complementary solutions. The goal of this strategy is to mitigate risks associated with over-dependence on a single supplier or technology stack. This approach, also known as supplier diversity, requires organizations to:

  • evaluate solution strengths and weaknesses
  • assess vendor confidence risks
  • determine the criticality to business functions (for example, single point of failure (SPOF) or criticality path analysis)
  • identify critical functions exposed to high-risk vendors
  • implement measures to mitigate associated risks

In this context, a high-risk vendor includes any vendor or service provider assessed as posing a significant risk to your organization. A high-risk vendor compromise will impact the security of your organization's information systems and your critical business functions.

The goal of vendor diversification is to develop resilient architectures and leverage procurement decisions to build a robust cyber security posture. This will help protect your organization against risks, including:

  • unexpected business failures
  • geopolitical disruptions
  • vendor lock-in
  • blind spots in threat detection tools

Another benefit of diversifying your vendors is that your organization will have access to broad offerings aligned with a vendor's strength, while also providing an additional layer of protection against single-ecosystem vulnerabilities.

Top of page

Balancing diversity and complexity

Although diversification is vital for developing resilient architectures, managing multiple vendors, contracts, network infrastructure and operation teams can become more challenging. Handling numerous products and relationships can also introduce interoperability challenges. If diversification is not carefully implemented and managed, it can lead to operational inefficiencies and higher costs.

Therefore, we recommend an approach that continuously assesses design outcomes against mission objectives. The goal is to build and operate a secure, resilient and robust architecture while avoiding risks associated with an unmanageable collection of disparate enterprise security solutions.

Why vendor diversification is critical

Vendor diversification is important because it:

  • avoids SPOF
    • particularly when reliance on a single vendor or single technology stack would introduce a SPOF
    • if a single-sourced solution supports several mission-critical assets, a vulnerability or compromise within that system can have significant repercussions and cascade across your organization's environment
    • diversification, together with defence-in-depth and heterogeneity, can help mitigate associated risks
  • prevents many automated attacks
    • ransomware-as-a-service and other scripted or automated attack types exploit a limited, specified set of vulnerabilities
    • finding vulnerabilities across multiple technology stacks and embedding them as contingencies in automated malware can present too high an investment for numerous lower-level threat actors
  • reduces vendor lock-in
    • you may have less leverage in negotiations with vendors if you rely excessively on a single provider
    • diversification allows you to select the best-of-breed solutions for specific security layers and provides the flexibility to switch providers if needed
  • provides specialized, enhanced capabilities
    • different vendors have unique areas of specialization and technical capabilities
    • by using a diverse set of vendors, your organization can benefit from a wider range of specialized capabilities, which can mitigate against a broader spectrum of threats
    • by using different vendor solutions, your organization can take advantage of differences in threat update cycles to respond and defend against zero‑day or emerging threats (for example, your boundary protection defense solution (firewall or intrusion prevention system) may deliver a faster turnaround on threat updates to address a zero-day vulnerability than your endpoint antivirus or endpoint threat prevention solution vendor)
  • increases ecosystem resilience against attacks
    • a diverse vendor ecosystem introduces an additional layer of unpredictability that makes it more difficult for threat actors to target your environment
    • diversified enterprise management activities may introduce additional overhead, but they can serve as a layer of defence for improving network redundancy and strengthening cyber threat detection capabilities
  • enhances opportunities for threat detection
    • diversification not only increases the work factor for threat actors to discover an organization's assets, but it also increases the likelihood that the attacker will require additional techniques to achieve their objectives. This can be very effective against lower-level actors who may have limited flexibility, while meaningfully slowing down sophisticated attackers and providing more time for detection
Top of page

Key strategies for implementation

The following section offers the best strategies to implement vendor diversification for your organization.

Determine criticality and security categorization of assets

Before considering diversification strategies, your organization will need to conduct a security categorization to identify critical functions or assets based on their impact or degree of injury to business-critical objectives. This will help you focus your protection and mitigation measures on components that could lead to mission failure if compromised. Some critical components or services may not be easily discoverable using typical network discovery mechanisms; additional considerations may be required to identify and support them.

Identify disaggregation requirements

Some organizations may be subject to a greater degree of injury when their assets are consolidated or aggregated. Implementing disaggregation strategies can reduce the risk exposure. Disaggregation may follow natural boundaries, including a geographically disperse operation, decentralized chain of command or sub-divisional independence (such as a combat unit), or disaggregation of data and intellectual property generated by teams. These boundaries can form a core component of their vendor or technology diversification program.

Implement a vendor risk assessment program

Your organization should implement a continuous vendor risk management program. This will help you identify, assess and monitor critical operational dependencies on your vendors and their third-party relationships. You should also identify higher-risk vendors and related services for additional mitigations. Organizations can also consider requesting for a detailed software bill of materials to track and monitor risk dependencies across software applications running in their environment.

Map current vendors to critical functions

Identify all vendors and contractors that support critical functions. Categorize them based on the criticality of their service and the level of access to your operations. This will reveal areas of vendor over-dependence that may need to be diversified.

Design and implement a multi-vendor strategy

Strategically design or redesign system architectures, keeping diversity in mind and avoiding over-dependence on a single solution architecture. Incorporate versatile design architectures that can easily adapt to different threats and are supported by a diversified supplier base. Scenarios or examples where diversification may be required include:

  • boundary protection: incorporating diversity across devices that mediate or authorize network flows across internal and external networks

    • examples include routers, network firewalls, web application firewalls, intrusion detection and prevention systems and web service protections
    • consider solutions from a variety of vendors that offer detection capabilities across different domains (software, hardware and firmware) and content types (for example, data, files, messages, packet inspection and protocol flow analysis)
  • endpoint device security: ensuring security protections on endpoint devices provides diverse protection capabilities against malicious code and system‑based attacks
    • solution components include antivirus software, endpoint detection and response solutions, data loss prevention and others
    • implement diverse capabilities (for example, heuristics and static-based detection for malware or malicious code detection) across multiple layers of the system including
      • the hardware platform
      • operating system (OS) boot loaders
      • core OS
      • hypervisors
      • the applications layer
  • data centre infrastructure diversity: ensuring data centre services and dependencies are diverse and contractually independent to mitigate against underlying service convergence risks
    • ensure risks associated with the primary power source, back-up power, cooling, water supply, communication infrastructures and contractual oversight are sufficiently isolated
    • additionally, using at least 2 independent Internet service providers that offer independent circuit loops with isolated backbone infrastructure

Consider open-standards and interoperability

To manage a multi-vendor environment efficiently, where possible, design systems that are vendor agnostic and based on open standards to facilitate interoperability. Supplement commercial tools with solutions based on independent or open-source standards for greater visibility and resilience. Evaluate alternative solutions based on the ability to provide multiple delivery paths, access to source-code and data portability, among other considerations.

Incorporate diversity into operational resiliency and contingency plans

Adopt a strategy that incorporates diversity into your cyber redundancy and recovery architectures. Identify alternate or contingency plans for the most critical security controls. Failover and recovery protocols should identify critical vendors and alternates. Diversification efforts must integrate with resilience planning activities to ensure unplanned new risks do not emerge.

Learn more

Top of page

Date modified: