惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

GbyAI
GbyAI
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
IT之家
IT之家
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
N
News | PayPal Newsroom
Cloudbric
Cloudbric
Webroot Blog
Webroot Blog
www.infosecurity-magazine.com
www.infosecurity-magazine.com
Simon Willison's Weblog
Simon Willison's Weblog
Spread Privacy
Spread Privacy
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
V
Vulnerabilities – Threatpost
Attack and Defense Labs
Attack and Defense Labs
C
Cyber Attacks, Cyber Crime and Cyber Security
Cisco Talos Blog
Cisco Talos Blog
C
Cybersecurity and Infrastructure Security Agency CISA
H
Hackread – Cybersecurity News, Data Breaches, AI and More
P
Proofpoint News Feed
阮一峰的网络日志
阮一峰的网络日志
S
Secure Thoughts
T
Tor Project blog
Latest news
Latest news
aimingoo的专栏
aimingoo的专栏
V2EX - 技术
V2EX - 技术
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
S
Securelist
T
Tenable Blog
N
Netflix TechBlog - Medium
Google Online Security Blog
Google Online Security Blog
博客园 - Franky
T
Troy Hunt's Blog
量子位
大猫的无限游戏
大猫的无限游戏
T
Threat Research - Cisco Blogs
T
The Exploit Database - CXSecurity.com
MongoDB | Blog
MongoDB | Blog
H
Heimdal Security Blog
D
Docker
W
WeLiveSecurity
Stack Overflow Blog
Stack Overflow Blog
G
Google Developers Blog
博客园 - 叶小钗
腾讯CDC
The Hacker News
The Hacker News
WordPress大学
WordPress大学
人人都是产品经理
人人都是产品经理
Project Zero
Project Zero
Martin Fowler
Martin Fowler

Opinion

Op-Ed: Microsoft’s July Patch Tuesday reveals 622 vulnerabilities Op-Ed: The transaction was legitimate; the crime was hidden in the system Op-Ed: Why CISOs are drowning in alerts but missing the real threat Op-Ed: The reality of data-centric security and attribute-based access control Op-Ed: Australia’s cyber law is stuck in the past – the Slay Review is our chance to fix it Australian federal budget 2026: The industry perspective Op-Ed: Redefining performance in the AI-powered SOC Op-Ed: AI won’t patch the holes in your SOC Op-Ed: Australia inspired the EU’s online age restrictions, now it’s time for us to learn from them Op-Ed: Microsoft April Patch Tuesday reveals 167 vulnerabilities The industry speaks: World Identity Management Day 2026 Op-Ed: Why zero trust for OT should start at the boundary, not the boiler room The industry speaks: World Cloud Security Day 2026 The industry speaks: World Backup Day 2026 Op-Ed: Information sharing of cyber threats vital to national security Op-Ed: Building secure foundations for AI in the cloud Op-Ed: AI isn’t the threat, poor design is Op-Ed: Why Australia’s schools are becoming strategic targets for organised crime Op-Ed: Australia’s National AI Plan looks good on paper, but where are the teeth? Op-Ed: Australian organisations need federated authority to stay secure at scale
Supply chain risk: Understanding the weakest link in cyber security
2025-09-26 · via Opinion

For CISOs, managing supply chain risk is no longer a compliance exercise – it’s a core pillar of resilience.

In cyber security, you’re only as strong as your weakest partner.

That lesson has been made painfully clear in the wake of major third-party breaches, from SolarWinds to MOVEit, Salesforce to Salesloft. Each case demonstrated the same hard truth: even the most sophisticated internal defences can be undone by vulnerabilities outside your direct control.

You’re out of free articles for this month

To continue reading the rest of this article, please log in.

For chief information security officers (CISO), supply chain risk has become, arguably, the most complex and pressing challenge of the day. Modern enterprises rely on a sprawling ecosystem of vendors, cloud services, software providers and contractors.

Every connection is a potential entry point. Yet traditional risk assessments – often performed once a year with a set of questionnaires – are no match for today’s threat landscape.

The first shift in thinking is to treat suppliers not as external entities but as extensions of your own network. If they have access to your data, systems or infrastructure, their security posture directly affects yours.

That means moving beyond a box-ticking approach and demanding real visibility. Continuous monitoring, shared threat intelligence and contractual obligations for reporting incidents should all be part of the relationship.

The MOVEit breach showed how quickly trusted software can become a liability, with attackers exploiting vulnerabilities in a widely used file transfer tool. If your assessments stop once a supplier is approved, you’re already behind. Ongoing oversight matters. This includes watching for patch delays, suspicious activity or changes in a vendor’s own supply chain.

We know there’s a balance to strike. No organisation can fully audit every vendor. The challenge for CISOs is prioritisation: identifying which partners have access to sensitive data, critical operations or privileged credentials, and focusing scrutiny at the point of most concern. A café supplier isn’t a cyber security concern; your managed service provider most definitely is. Risk-based approaches, guided by impact assessments, help concentrate effort where it can have the most impact.

Contracts are another underused lever. Security obligations and service-level agreements should be explicit, covering everything from breach notification timelines to access controls and patching commitments. These are often left vague, creating ambiguity when incidents do occur. Clear contractual language, backed by the authority of procurement and legal teams, gives CISOs a stronger footing when an incident does occur.

Technology and contracts alone won’t solve the problem – culture plays a role, too. Supply chain security requires collaboration between security, procurement and business units. Procurement teams need to understand why they can’t simply choose the cheapest or fastest supplier without assessing cyber risk, while business leaders must grasp that resilience sometimes comes at a cost. Vendors need to see themselves as partners in security, not just outside service providers.

It’s also important to plan for the inevitable. No matter how robust your controls, some breaches will slip through – remember, it’s not a matter of if you’re attacked, it’s a matter of when. That’s why incident response plans need to have third-party failures baked in. Who communicates with the vendor? How quickly can access be revoked? How will regulators and customers be notified? CISOs who assume “it won’t happen here” are setting themselves up for a nasty surprise when the inevitable, sadly, happens.

The message to the board is straightforward: supply chain risk is business risk. A single vulnerability in a partner can cascade into lost data, financial penalties and reputational harm.

Investing in continuous monitoring, stronger contracts and aligning business purpose isn’t just prudent – it’s essential.

Cyber DailyWant to see more stories from trusted news sources?
Make Cyber Daily a preferred news source on Google.

David Hollingworth

David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.

Tags: