Login
iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Powered by MOMENTUMMEDIA
For CISOs, managing supply chain risk is no longer a compliance exercise – it’s a core pillar of resilience.
In cyber security, you’re only as strong as your weakest partner.
That lesson has been made painfully clear in the wake of major third-party breaches, from SolarWinds to MOVEit, Salesforce to SalesLoft. Each case demonstrated the same hard truth: even the most sophisticated internal defences can be undone by vulnerabilities outside your direct control.
For CISOs, supply chain risk has become, arguably, the most complex and pressing challenge of the day. Modern enterprises rely on a sprawling ecosystem of vendors, cloud services, software providers, and contractors.
Every connection is a potential entry point. Yet traditional risk assessments – often performed once a year with a set of questionnaires – are no match for today’s threat landscape.
The first shift in thinking is to treat suppliers not as external entities but as extensions of your own network. If they have access to your data, systems, or infrastructure, their security posture directly affects yours.
That means moving beyond a box-ticking approach and demanding real visibility. Continuous monitoring, shared threat intelligence, and contractual obligations for reporting incidents should all be part of the relationship.
The MOVEit breach showed how quickly trusted software can become a liability, with attackers exploiting vulnerabilities in a widely used file transfer tool. If your assessments stop once a supplier is approved, you’re already behind. Ongoing oversight matters. This includes watching for patch delays, suspicious activity, or changes in a vendor’s own supply chain.
We know there’s a balance to strike. No organisation can fully audit every vendor. The challenge for CISOs is prioritisation: identifying which partners have access to sensitive data, critical operations or privileged credentials, and focusing scrutiny at the point of most concern. A café supplier isn’t a cyber security concern; your managed service provider most definitely is. Risk-based approaches, guided by impact assessments, help concentrate effort where it can have the most impact.
Contracts are another underused lever. Security obligations and service-level agreements should be explicit, covering everything from breach notification timelines to access controls and patching commitments. These are often left vague, creating ambiguity when incidents do occur. Clear contractual language, backed by the authority of procurement and legal teams, gives CISOs a stronger footing when an incident does occur.
Technology and contracts alone won’t solve the problem – culture plays a role, too. Supply chain security requires collaboration between security, procurement, and business units. Procurement teams need to understand why they can’t simply choose the cheapest or fastest supplier without assessing cyber risk, while business leaders must grasp that resilience sometimes comes at a cost. Vendors need to see themselves as partners in security, not just outside service providers.
It’s also important to plan for the inevitable. No matter how robust your controls, some breaches will slip through – remember, it’s not a matter of if you’re attacked, it’s a matter of when. That’s why incident response plans need to have third-party failures baked in. Who communicates with the vendor? How quickly can access be revoked? How will regulators and customers be notified? CISOs who assume “it won’t happen here” are setting themselves up for a nasty surprise when the inevitable, sadly, happens.
The message to the board is straightforward: supply chain risk is business risk. A single vulnerability in a partner can cascade into lost data, financial penalties, and reputational harm.
Investing in continuous monitoring, stronger contracts, and aligning business purpose isn’t just prudent – it’s essential.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Be the first to hear the latest developments in the cyber industry.
