All blogs

From questionnaires to real risk management: why supply chain risks are underestimated

Misha van Leeuwaarde
Misha van Leeuwaarde
November 18, 2025
5
min read

In this RiskTalk episode, Esther Schagen van Luit discusses why organisations continue to underestimate supply chain risks and rely too heavily on questionnaires and certifications. She highlights the need for genuine risk-based thinking under NIS2, warns against narrow views on digital sovereignty, and stresses the importance of internal data governance in the age of GenAI. Esther also reflects on diversity in cybersecurity and shares practical career advice on focus and prioritisation.

In the latest episode of RiskTalk, Esther Schagen van Luit, Chief Security Advisor at Microsoft Netherlands, joins to discuss some of the most urgent challenges in cybersecurity. From supply chain risks to digital sovereignty, from NIS2 compliance to diversity in the sector, Esther shares her sharp insights based on years of experience as CISO at Deloitte and her current role at Microsoft.

The problem with supply chain risks: more than just questionnaires

One of her most striking statements concerns how organisations handle supply chain risks:
“I have always found supply chain risks and their management to be an aspect that is underestimated, or at least given too few resources.”

According to Esther, the issue lies in the excessive reliance on questionnaires and certifications.
“A questionnaire... how do you actually verify whether what someone fills in is true?”
Many organisations believe they have their supply chain risks under control by going through checklists, but in doing so miss the real risks.

Certifications are only the beginning

Certifications such as ISO 27001 are often overestimated.
“If you have experience as a consultant guiding organisations towards that certification, then you know it is only the beginning. Plenty can still go wrong underneath.”
Esther advocates a pragmatic approach:
“I do not mind if something is not fully in order, as long as you show how you solve it, how quickly that happens, and what evidence you have.”

NIS2: from checklist mentality to risk-based thinking

Esther’s view on regulation has changed since her time as CISO.
“When I was CISO, I thought: another new regulation? But now I see that it is needed, especially for organisations that did very little on security.”

According to her, the strength of NIS2 lies in the room it offers for a risk-based approach.
“Many customers prefer a checklist, but it is precisely that room that forces you to really think about risks.”
However, that does require preparation:
“You need to do your risk assessment properly, and many organisations find that daunting.”

Digital sovereignty: fear versus reality

As Chief Security Advisor at an American tech company, Esther has a unique position in the debate on digital sovereignty.
“People look at scary, distant risks and forget everyday, more probable risks.”
She argues for a broad geopolitical risk analysis:
“Not only America. What do you do with tools from Israel, China, or in the event of new conflicts? And do you have realistic alternatives?”
Sometimes the answer is simply:
“Yes, it is a high risk, but I do not have an alternative.”

Internal data governance: get your own house in order first

With the rise of GenAI, Esther sees a striking trend:
“Many customers still do not have their data management in order. Then you realise you have no internal grip on who can access your data.”
According to her, this is a larger risk than many geopolitical threats:
“It surprises me how easily people see external danger but overlook internal reality.”

Diversity in cybersecurity: from 4 percent to 50 percent

When Esther started at Deloitte, only 4 percent of the cybersecurity team were women.
“I walked past the hacking team and they looked at me as if I came from another planet.”
By the time she left, the team was 50 percent women and 50 percent international.

Her advice for leaders:

  1. Broaden your recruitment funnel
    “Do not wait for whatever comes in. Actively go into the market to attract diverse talent.”
  2. Focus on retention
    “Hiring often works out. But do those people feel at home? Are they recognised? Take a critical look at your processes and performance management.”
  3. Choose passion, not profile
    “Someone with curiosity and real interest gets further than someone who just ‘quite likes it’.”

Career tip: focus on what really matters

What is her secret to success at a young age?
“I was always able to distinguish well between what is important and what is not. Do not get distracted by what others consider important.”
On setting priorities, she says:
“You can make progress on twenty things, but then you make no real impact anywhere. Focus on five things and you get much further.”

Looking for an easy way to manage third-party risks?

Get a quick introduction to our third-party risk platform and make informed decisions today.

View our platform demo
Misha van Leeuwaarde
Marketing Manager

Want to read more?

Read more helpful content on third-party risk management and compliance.

Three men recording a business podcast conversation with microphones around a table in the 3rdRisk office studio
RiskTalk 

Climate risks cost the Netherlands €280 million a year – and that was a quiet year

Climate change already costs the Netherlands €280 million a year in insured losses alone — and that was a quiet year. In this RiskTalk episode, VU Professor Wouter Botzen explains why companies underestimate climate risks, how small preventive steps can reduce damages by up to 40%, and what risk professionals can do to strengthen business resilience across their own operations and supply chains.
Misha van Leeuwaarde
Misha van Leeuwaarde
November 4, 2025
10
min read
Close-up of a computer screen showing the word “Security” with a cursor icon pointing at it, symbolising cybersecurity and data protection.
Cybersecurity

Seven questions you should ask your suppliers to ensure NIS2 compliance

As NIS2 expands the compliance burden across supply chains, risk professionals need to ensure their suppliers are not a weak link. This blog outlines seven essential questions to ask vendors, complete with explanations, red flags, and what a good response looks like. Ideal for risk, compliance, and procurement teams preparing for NIS2 enforcement.
jelle groenendaal co-founder & cmo 3rdrisk
Jelle Groenendaal
October 30, 2025
15
min read
Comparison

Making sense of the RiskTech landscape: Where 3rdRisk fits

Organisations managing DORA and NIS2 compliance typically juggle separate tools for cyber risk, ESG, supply chain visibility, and compliance automation. This creates fragmented workflows and audit gaps. 3rdRisk unifies these capabilities into one multidimensional platform — combining regulatory-ready workflows, AI-powered automation, and collaborative features that turn visibility into action. Learn how we compare to specialised vendors and why leading enterprises choose integrated risk management.
rick sollet co-founder & cto 3rdrisk
Rick Sollet
October 29, 2025
5
min read
Dave van Gulik
Trust Alliance

“3rdRisk is our go-to platform for third-party risk and compliance management. Why? Because it’s based on the latest standards in our field, highly flexible, intuitive, and pleasant to work with.”

View our demo
Read customer stories