The fastest way to get CISSP Certified. Join our bootcamp
Sergio Ermotti runs UBS, one of the world's largest banks. In October 2025, his direct phone number appeared on the dark web.
Not because UBS got breached. Because Chain IQ got breached.
The thing is, UBS doesn't use Chain IQ. Their vendor did. So how did Ermotti's direct line end up on the dark web via Chain IQ?
June 12, 2025. Attackers broke into Chain IQ Group AG, a procurement vendor. They grabbed employee records from 19 of Chain IQ's clients. Over 130,000 records total. Posted everything online.
UBS was in there. So was Pictet. Swiss Life. Axa. FedEx. IBM. Swisscom.
None of them had ever contracted with Chain IQ directly. Their procurement vendors had. And when Chain IQ got compromised, these companies found out the same way everyone else did: when their employee data showed up for sale.
Here's what makes this worse:
You can't vet a vendor you don't know exists.
You know which vendors you hired. You might even know which vendors they hired if your vendor risk program is solid.
But do you know which vendors those vendors use? The platforms they're all hosted on? Where your data actually lives in this chain?
Most organizations don't. They track direct contracts. They don't map what those contracts sit on top of.
The numbers aren't improving:
96% of Europe's largest financial institutions were hit by a third-party breach in the past two years, according to SecurityScorecard. That's up from 78% just two years before.
This problem is accelerating, not slowing down.
Why traditional vendor assessments miss this:
Your vendor questionnaire asks about security controls at one company. Not their subcontractors. Not the infrastructure providers two layers down. Not the shared platforms that create single points of failure.
When Chain IQ got breached, none of the affected organizations could have prevented it through better vendor management. They didn't have a relationship with Chain IQ to manage.
This is fourth-party risk. And it requires a different approach.
What CRISC covers that most risk programs don't:
How to map risk beyond direct vendor relationships. How to identify concentration risk when multiple vendors share infrastructure. How to build continuous monitoring for exposures you can't see through annual assessments.
It's not about better questionnaires. It's about understanding how risk actually flows through your ecosystem.
And professionally? Organizations desperately need people who can manage these complex risk scenarios. CRISC positions you as someone who understands enterprise risk at a level most security professionals don't reach.
Our next CRISC Bootcamp runs June 1-3, 2026. Three days with Kelly Handerhan covering everything ISACA tests. 146 topics, 695 flashcards, 850 knowledge assessments, 500+ practice questions, 24 mind maps, and 4 implementation tools for real-world risk work.
Learn more and enroll
P.S. We don't offer a CRISC MasterClass yet. Want us to notify you when we do? Reply to this email.
Stay secure,
The DestCert Team
Free CISM MindMap: Strategy Development
We put together a free MindMap video covering the key concepts in Domain 1.2, a quick, clear way to get the big picture before you dive into studying. Free to watch, no strings attached. Plus you'll get downloadable audio files and printable PDFs.
Save $300 on the AAISM Bootcamp
AI security is one of the fastest-growing areas of responsibility for security professionals right now — and the AAISM Bootcamp is built specifically for it. Enroll at the current rate and you'll save $300. The offer ends April 19.
Prepare to Pass CCSP: Get the Right CCSP
APP
Studying for the CCSP? Big news! We’ve just added 1,000 brand-new questions to our CCSP Exam Prep App—giving you even more ways to test your knowledge and boost your confidence. Whether you're brushing up on cloud security concepts or getting serious about exam day, the updated app is packed with fresh content that reflects the latest exam trends. Study anytime, anywhere, and get one step closer to becoming CCSP certified.
Free CCSP Cloud Data Security and Encryption Mini MasterClass
If you’re interested in cloud security, check out our new FREE Mini MasterClass. It digs into cloud data security and encryption. It’s based on the CCSP certification requirements, but even if you’re not thinking of getting certified, what you learn is very useful in practice if you ever need to deal with cloud data security.