Your vendor questionnaire is already obsolete

In the last 30 days, five member companies across government, legal, financial services, and professional services posted the same problem to the network, and not one framed it as wanting a better tool. They framed it as the model itself failing. A deputy CISO at a city government wants out of mailing annual security questionnaires to vendors and "HOPING they respond with factual information." A VP and CISO in business services runs a formal third-party-risk bake-off every 36 months. A law-firm security manager is being told by its own clients to stand up a vendor-assessment program. The common thread is timing: every one of these programs assesses a vendor at a point in time, then trusts that snapshot for a year or three. Meanwhile the thing being assessed, vendor access to your data, has gone continuous. Vendors hold live API tokens, run automation in your environment, and push code into your pipeline between assessments. The annual questionnaire was built for a world where a vendor relationship was a contract and a data feed. That world is gone, and the network is the first place you can watch CIOs and CISOs pricing the replacement.

Three seats, one gap: the cadence of assessment (every 36 months), the artifact of assessment (a tracking tool clients now demand), and the reason both are breaking (vendor access stopped being static).

Two raw asks pulled directly from member submissions in the last 14 days, unedited:

Both asks are the same move: stop trusting a once-a-year form and start verifying vendors continuously, whether that is a government team drowning in questionnaires or a services firm wiring risk checks into cloud onboarding.

Michael Vigneau runs cybersecurity at Allegro MicroSystems, a global semiconductor maker, and his read is the through-line of this week's signal: the hard part of vendor risk, and of security generally, was never the tool. As he puts it in his DoGood member spotlight, "Technology is the easy part. Changing human behavior at scale is the real work."

Read how Michael builds a security culture that sticks →

In May, Trellix, a cybersecurity vendor whose entire job is reducing other companies' risk, disclosed that attackers gained unauthorized access to part of its source-code repository. The ransomware group RansomHouse claimed the intrusion on May 7. It landed inside a wider run on the software supply chain: earlier in 2026 the same class of attack hit the open-source scanners Trivy and Checkmarx KICS, tools that thousands of enterprises embed directly in their build pipelines. Trellix says it found no evidence its release pipeline was tampered with. That is the good outcome, and it still would not have surfaced on anyone's annual vendor questionnaire, because the questionnaire was filled out months before the breach existed. This is the normal shape of vendor risk now, not the exception. Across 2025, a single vendor breach compromised an average of 5.28 downstream companies, and the gap between a vendor discovering a breach and disclosing it stretched to 117 days. Your annual attestation can sit freshly signed on the desk while the vendor it certifies is already four months into an undisclosed compromise.

Bottom Line: Rank your vendors by blast radius, not by contract size, and put the few that could take you down with them on continuous monitoring; the questionnaire can stay for the long tail.

This week, pull your third-party inventory and tag every vendor that holds a live credential, an API token, or standing access into a production system. That subset, not your full vendor list, is where the annual questionnaire is failing you. Move those vendors onto continuous monitoring before your next renewal cycle, and leave the once-a-year form for the vendors who only ever touch a flat file.

The CXO Brief is powered by the DoGood network, 5,000+ IT leaders sharing what they are actually working on.

Know a CIO who needs this? Forward it and they can subscribe here.

Enterprise IT leader at a $100M+ company? Apply to join DoGood.