Procurement decisions define an organization’s security posture. Every contract, integration, and update determines not only cost and performance, but also how well the enterprise can withstand evolving threats.

As Jen Easterly, former Director of the U.S. Cybersecurity and Infrastructure Security Agency, wrote in Foreign Affairs (“The End of Cybersecurity”), the era of reactive defense must end. The next phase of security depends on structural choices that eliminate vulnerabilities before they reach production. That shift starts with aligning incentives for secure design, and procurement is the natural starting point.

Too often, organizations evaluate technology vendors on functionality, speed, and price alone. Cybersecurity is treated as a downstream audit item rather than a foundational criterion. The result: a marketplace that rewards innovation without accountability and complexity without transparency.

D&TA’s work with member companies across sectors shows that this dynamic can change. Procurement can become a strategic control point for resilience, ensuring security-by-design principles are embedded into every system from the outset.

AI has exposed the fragility of traditional procurement processes. Models that rely on shared data, third-party APIs, and continuous learning make supply chains more connected—and more vulnerable, than ever before.

In our latest publication, the Cyber Readiness Companion to the AI Vendor Assessment Framework, D&TA outlines practical steps for evaluating AI vendors not only for compliance, but for security maturity. This includes understanding model provenance, assessing incident response readiness, and ensuring continuous monitoring of AI systems in production. This builds upon our recently released AI Vendor Assessment Framework.

Each AI integration expands an organization’s attack surface. Each vendor relationship introduces potential entry points for exploitation. Resilience now depends on the strength and visibility of procurement infrastructure: how contracts are written, how vendors are vetted, and how information is shared.

A resilient procurement process integrates cybersecurity, resilience, and business value into a unified decision-making framework.

1. Make Security a Core Evaluation Metric

Security should carry equal weight to functionality and price in vendor scoring. Questions around incident response, data integrity, and model provenance must appear in every RFP.

2. Align Procurement and Security Early

Collaboration between security and procurement teams should begin before vendor selection. Early alignment surfaces risks before they become contractual constraints.

3. Demand Transparency and Provenance

Require vendors to document model lineage, dependencies, and update cycles. Transparency enables traceability and accountability throughout the AI lifecycle.

4. Embed Resilience Clauses in Contracts

Contracts can mandate secure development practices, vulnerability disclosure processes, and patch timelines. As Easterly argued, producers should be accountable for insecure design—and procurement is where that accountability begins.

5. Build Continuous Feedback Loops

Resilient procurement doesn’t at signing. Post-deployment monitoring, attestations, and periodic vendor reviews make resilience continuous, not episodic.

In Build Secure-by-Design Tech Before the AI Vulnerability Cataclysm Hits, I emphasized that secure-by-design must move from aspiration to action. Building systems that are “secure by default and resilient by design” requires aligning business incentives, engineering practices, and policy frameworks.

Procurement connects all three. It translates governance into operations and values into infrastructure. The leaders of the next decade will treat security not as a feature, but as a design choice embedded in every purchasing decision.

Our members demonstrate that building resilient procurement infrastructure is not a single organization’s task — it’s a shared responsibility across the ecosystem.When buyers demand transparency and resilience, and when vendors design with security and trust in mind, the entire digital marketplace grows stronger.

Cybersecurity is no longer confined to IT departments; it lives in contracts, standards, and governance processes that determine how systems are selected, integrated, and maintained.

As we mark Cybersecurity Awareness Month, D&TA calls on organizations to look upstream to their procurement practices as the next frontier of secure-by-design innovation.

Resilience begins not at deployment, but at decision.