I love etymology. English is one of the few languages in which etymology is a fascinating field of study. Our words have roots in Germanic languages, as well as French, Dutch, Greek, and Latin, among others. It makes English hard to learn because our rules are chaotic—but that chaos is what makes it so fascinating. When I was much, much, much younger, I thumbed through old dictionaries to learn the Latin roots of words (yes...I was very fun at parties). It made me fall in love with old Latin phrases.

One of my favorite phrases is hic sunt dracones—“here are dragons.” For years, I thought medieval cartographers used this phrase to mark unknown regions, but it only appeared on two globes in the 1500s. While the illustrations of mythic beasts dotted medieval maps, the term they used was hic sunt leones—“here are lions.”

These phrases represented the unknown. And today, our maps may be digital, but the unknowns remain—especially in cybersecurity. Just as ancient maps hinted at dangers lurking in uncharted territory, today’s digital landscape is filled with hidden adversaries: cybercriminals who operate in the shadows, much like the dragons of legend.

These modern dragons, often motivated by greed, are unpredictable and dangerous. Just as medieval explorers needed tools to navigate the unknown, we need robust cybersecurity measures, like RABET-V™, to protect ourselves. Procurement officials, in particular, play a critical role in ensuring the systems they buy come equipped with swords and shields to minimize preventable risk.

The Modern Dragons

The following recent history offers sobering examples of what happens when those dragons slip past the gates. Each example is analyzed for its root cause and, in many cases, could have been prevented by procurement decisions made long before the breach.

SolarWinds (2020)

A trusted IT vendor’s Orion software update was compromised, allowing attackers to infiltrate thousands of organizations, including U.S. government agencies.

Root cause

Malicious code injected into a legitimate software update—an advanced supply chain attack.

Colonial Pipeline (2021)

A single compromised password on an inactive VPN account—without multi-factor authentication—enabled ransomware attackers to scare the company into shutting down the fuel supply to the East Coast to prevent further compromise.

Root cause

Weak access controls and a lack of MFA.

MOVEit (2023)

A zero-day vulnerability in a widely used file transfer tool exposed sensitive data for nearly 100 million individuals, shifting ransomware tactics toward data extortion.

Root cause

Unpatched zero-day vulnerability in core software.

CrowdStrike Falcon Outage (2024)

Not a cyberattack, but a flawed update from a security vendor crashed millions of Windows systems worldwide, causing widespread disruptions that grounded flights and affected hospitals. Delta alone reported $380 million in lost revenue, $170 million in additional expenses, including reimbursements and crew-related costs.

Root cause

A critical bug in a routine software update.

Change Healthcare (2024)

A ransomware attack crippled the U.S. healthcare payment infrastructure, affecting 94% of hospitals. UnitedHealth Group, Change Healthcare's parent company, estimated the breach's cost to be over $3 billion, including direct response efforts, legal liabilities, and lost business.

Root cause

Exploited weak authentication and poor network segmentation.

Why Procurement Matters

The previous incidents share a common thread: preventable risks. They highlight why procurement decisions—made long before a breach—can determine whether systems withstand the next attack or become the next headline.

States often rely on under-resourced internal teams to vet technology providers. Deep technical reviews require time, expertise, and budget that many agencies simply don’t have. The result? Technology providers self-attest to security, and states take them at their word.

That model is broken.

Procurement decisions made months or years before a breach often determine whether systems withstand the next attack—or become the next headline. Weak internal processes, poor architecture segmentation, and risky third-party dependencies are all leading indicators of security risk. Yet these factors rarely surface in traditional procurement reviews.

Enter RABET‑V™

RABET‑V is an independent verification program designed to bring rigor and adaptability to technology assessments. Its principles apply broadly to state procurement.

Here’s what makes RABET‑V different:

• Organizational Assessment: Evaluates a vendor’s internal development practices and governance—critical for catching weaknesses like those exploited in SolarWinds, where insufficient controls allowed malicious code to slip into a trusted update.
• Architecture Assessment: Scores system design against a rubric that favors modular, well-segmented architectures. This reduces the risk of cascading failures, as seen in incidents at Change Healthcare and MOVEit.
• Product Verification: Tests the product itself, with rules tailored to its architecture and organizational maturity. This approach can identify vulnerabilities before they reach production, thereby mitigating risks such as zero-day exploits.

RABET‑V also incentivizes continuous improvement. Technology providers must meet or exceed established benchmarks, creating market pressure to strengthen security beyond minimum compliance. And because the framework is adaptive, it can respond quickly to emerging threats—something traditional certification programs struggle to do.

Incorporating RABET‑V Into Procurement

Embedding RABET‑V into procurement policies ensures security expectations are clear from the start—and enforced throughout the product lifecycle. If you’re ready to take that step, Grace Gordon’s blog post outlines specific procurement language and models you can use. It’s a practical guide for agencies seeking to incorporate independent verification as a standard part of their RFPs and contracts.

Conclusion

The map is only partially uncovered; another dragon’s den may be around the next misty corner. But with frameworks like RABET‑V, we have solid, resilient armor for the threats we know about—and a strategy for the ones we don’t.

Procurement isn’t just about cost—it’s about resilience. By embedding independent verification into your procurement process, you shift the burden of proof to technology providers, incentivize better security practices, and reduce long-term risk. RABET‑V provides a structured, adaptive way to do this—evaluating organizational maturity, architectural resilience, and product security that scales with modern development cycles.

If you’re ready to make security a procurement priority, explore RABET‑V and check out Grace Gordon’s blog post. It contains the specific procurement language and models you can use to make independent verification a standard part of your RFPs and contracts.

The dragons aren’t going away—but with the right tools, you can keep them off your map.