Privileged access, third-party risk, the dark web - these aren’t exactly topics that make it into boardroom small talk, but they are definitely shaping the way breaches unfold. To dig into how access has become its own commodity, why third-party connections are still the soft spot in mature programs, and what leaders should be doing differently, MSSP Alert spoke to Joel Burleson-Davis, CTO at Imprivata, a digital identity company for life- and mission-critical industries.Joel talks about where attackers are getting smarter, how AI is speeding up the game, and why compliance doesn’t always equal security.
MSSP Alert: Let’s start with something that doesn’t get enough boardroom airtime - just how big is the market for privileged access on the dark web right now? Are we talking small-time stuff, or has this become industrialized? And from a leadership lens, what are the signs that access is being misused before it becomes a breach? Should boards be looking at dark web intelligence as a core part of their risk dashboards, or is that still just treating symptoms?Joel Burleson-Davis: We are long past the days of hobbyists trading logins in obscure chat rooms - privileged access has become an industrial commodity. Dark-web marketplaces now attract millions of daily visitors, and they list everything from domain-admin credentials to turnkey zero-day exploits exactly the way a legitimate retailer lists SKUs. That liquidity lets attackers chain breaches together: one hospital’s stolen vendor VPN account can finance the ransomware campaign that compromises the next manufacturer. In other words, access itself is the product, and its market behaves like any other high-margin supply chain - buy in bulk, repackage, resell. Boards can’t afford to wait for the headline breach to learn something’s off. Early warning signs live in your telemetry: service accounts that suddenly log in from new geos, dormant vendor IDs that spring to life at 2 a.m., or privileged sessions that escalate without a valid change ticket. Pair that behavioral analytics layer with dark-web intelligence so you know when one of your identities shows up for auction, but treat that intel as a smoke alarm, not the fire-suppression system. The real fix is enforcing least privilege, time-bound access, and continuous validation for every user, especially third parties, so that even if credentials leak, they’re little more than blank keys. MSSP Alert: Third-party access is one of those areas everyone knows is risky, but it’s also baked into how business gets done. Where are organizations still falling short, and how do leaders strike the balance between vendor productivity and minimizing exposure?
Joel Burleson-Davis: Third-party access is still where otherwise mature programs turn a blind eye. In our latest State of Third-Party Access report, 58% of organizations admit they don’t have a consistent plan for vendors, 47% were hit by a supplier-driven breach in the last year, and roughly two-thirds expect the pressure to rise over the next 24 months. The patterns are familiar: VPN tunnels that stay up long after the project ends, service accounts riding around with domain-admin rights ‘just in case,’ and logs that tell you who connected but not what they touched. The fix isn’t to lock partners out; it’s to never hand out the keys, and if you do, hand out single-use keys and rotate the locks automatically. Practically, that means MFA at every stop, credential management, time-boxed and workflow-scoped privilege, and continuous analytics so a contractor logging in from a new geo—or poking at systems outside their lane—raises an instant flag. When we treat third-party identities the same way we treat our own staff — just-in-time, least-privilege, fully audited—we keep vendors productive and shrink the blast radius at the same time. That’s the balance that actually moves risk in the right direction. MSSP Alert:For critical infrastructure, what does a mature, resilient third-party access model actually look like? What should the C-suite be pushing for right now to protect uptime and data? Joel Burleson-Davis: A resilient third-party access program for hospitals, utilities, or transportation starts with one control plane that sees every external identity the moment it asks for access. In practice, that means onboarding vendors through a hardened portal, forcing MFA up front, automating access so third-parties never need the credentials to your internal system and when they do, issuing least-privilege, time-boxed credentials that lose all usefulness when the ticket closes. Layer continuous session recording and behavior analytics on top of that hardened portal so if a field-service account suddenly pivots from a CT scanner to the payroll server, you can sever their access before uptime or safety takes a hit. The goal is simple: every vendor gets just-in-time access to the one system they need, nothing more, nothing longer. For the C-suite, the push right now is threefold: (1) commission a living inventory of all third-party connections (you can’t defend what you don’t know); (2) roll out vendor privileged-access management that auto-grants and auto-revokes rights in minutes, not months; and (3) stream that access data feed into the same risk dashboard you use for internal identities so anomalies pop on one pane of glass. And yes, heavily regulated sectors are especially prone to the compliance mirage—hitting the checkbox can feel like victory when auditors leave, but attackers don’t care about SOC 2 language. If your controls can’t answer “who, what, when, and for how long” in real time, you’re still one phished contractor away from front-page news, certification or not. MSSP Alert:Let’s talk software supply chains. A lot of the risk seems to fly under the radar until something major happens - then it’s a scramble. Why are software supply-chain risks so hard to spot, and what proactive steps should leaders take?Joel Burleson-Davis: Software supply-chain threats are tough to spot because the attack surface is recursive: your app depends on a library that depends on a maintainer’s CI pipeline that depends on an out-of-date container image. That tangle lives outside the firewalls most SOC dashboards were built to watch, which is why we keep seeing ‘surprise’ compromises ripple from a forgotten GitHub action to the production floor. The problem is now big-game, not boutique—the pace of disruptions ‘exploded’ over the past two years as attackers realized they can hijack one upstream build and inherit thousands of downstream targets. Our own State of Third-Party Access study found 47% of organizations were nailed by a supplier-driven incident in the last 12 months, underlining how invisible dependencies translate directly to business impact. So how do we drag that risk into the light? I’d push leaders throughout the software supply chain to: Require a living SBOM for every critical application and set an alert when a new component shows up or a CVE lands; Treat the build pipeline like production by enforcing hardware-backed code signing, just-in-time privileges, and continuous attestations of every artifact before it ships; and Track risk signals -repo health scores, breach chatter, etc. - n the same dashboard you use for internal analytics. Taken together, those moves shift supply-chain security from a post-mortem scramble to a real-time control loop that can flag bad code before it graduates to front-page news. MSSP Alert:From your seat, when a breach happens through a third party, what does the ripple effect usually look like? Joel Burleson-Davis: When a vendor gets breached, the fallout isn’t confined to the SOC console. Yes, the forensic clean-up and account resets average about $88,000 just to get the lights back on, but that’s table stakes. The deeper hit is strategic: in Imprivata’s latest Ponemon study, a third-party incident most often triggers loss of sensitive data (53 %), regulatory fines (50%), and, crucially, nearly half the time forces the business to sever the very relationship it relied on (49%). That fallout spectrum erodes trust on three fronts at once: customers wonder whether you can safeguard their data, regulators see a repeat offender, and future partners hesitate to plug into your ecosystem. Viewed through that lens, the hardest blow isn’t the invoice from incident response—it’s the erosion of confidence that drags revenue, deal flow, and brand equity long after the servers are patched. MSSP Alert:With AI-driven attackers moving faster, how should CTOs and boards rethink their security strategy?Joel Burleson-Davis: Attackers now run AI-assisted campaigns at machine speed and sell the tooling on dark-web exchanges that look more like SaaS portals than back-alley bazaars. Fortinet’s 2025 Threat Landscape Report notes that cyber-criminals have “industrialized” their operations, offering exploit kits, automated scanning, and generative-AI phishing services that erode defenders’ reaction time. The result is a 47 percent global surge in AI-enabled attacks this year, with deepfakes, autonomous bots, and adaptive ransomware driving costs to historic highs. Fueling it all is a market with roughly 2.5 million daily dark-web visitors and a projected 22 percent CAGR, underscoring just how liquid stolen access and zero-days have become. To stay ahead, boards need to move from periodic audits to a continuous-risk operating model. That means putting identity at the core by enforcing just-in-time, least-privilege access for every user and workload, with rights revoked automatically when tasks are complete. It also means countering AI-driven attacks with defensive machine-learning models that inspect behavior in real time and quarantine anomalies in seconds. Risk posture should update daily by feeding SBOM changes, dark-web credential chatter, and live exploit data into a single executive dashboard. And finally, leaders should run exposure rehearsals - purple-team exercises that measure how quickly issues are detected and remediated - making response time a board-level KPI.
Suparna is the Senior Managing Editor for CyberRisk Alliance’s Channel Brands, including MSSP Alert and ChannelE2E. She manages content development, sharpens editorial workflows, and ensures storytelling is tightly aligned with audience needs. With a background in technology, media, and education, she combines strategic insight with creative execution.
1Password Credential Broker moves access closer to the moment it is needed, giving MSSPs and security teams a new way to control credentials across developers, workloads and AI agents.
MSSPs can’t treat human risk as a training checkbox. The real gap is what users do under pressure, and whether security teams can spot risky behavior before it turns into a compromise.
