Inside the Underground Economy: A Practitioner’s Perspective
April 8, 2026
Leadership Under Pressure: From Undercover Operations to the Boardroom
April 27, 2026
Cyber Risk is Now a Supply Chain Problem
I recently contributed an article to In Supply Magazine (Issue 2, March/April 2026), where I explored a shift that many organizations are now confronting in real time: cyber risk is no longer confined to the security function; it is a core supply chain issue.
This is not a theoretical evolution. It is operational.
The Convergence of Cyber and Supply Chain
Modern supply chains are highly interconnected digital ecosystems. Vendors, platforms, service providers, and partners are all integrated, often in ways that go far beyond traditional visibility. That interconnectedness has generated efficiency and scale, but it has also introduced systemic risk.
Adversaries understand this.
Instead of targeting hardened enterprise perimeters, they increasingly leverage third-party relationships, software dependencies, and service providers as entry points. These are not opportunistic attacks; they are calculated, patient, and designed to cascade across multiple organizations simultaneously.
From Point-in-Time Risk to Continuous Exposure
Historically, third-party risk management has been treated as a compliance exercise—periodic assessments, questionnaires, and static controls. That model is no longer sufficient.
Risk is no longer static. It is continuous.
Organizations need to shift toward real-time visibility into their extended ecosystem:
- Understanding not just who their vendors are, but how those vendors operate
- Monitoring changes in risk posture over time
- Identifying concentration risk and critical dependencies
- Integrating threat intelligence into business decision-making
This is where many programs are still catching up.
The Leadership Imperative
One of the most important shifts I highlighted in the article is the need for executive ownership of cyber risk as a business risk.
This is not just a CISO problem.
Boards and executive teams are increasingly being forced to make decisions around:
- Acceptable levels of operational disruption
- Trade-offs between efficiency and resilience
- Investment in visibility, intelligence, and redundancy
The organizations that are adapting well are those that treat cyber risk as part of enterprise risk management, not as a technical domain operating in isolation.
Intelligence as the Differentiator
If there is one consistent lesson from both past operations and current threat landscapes, it is this: visibility and intelligence change outcomes.
The difference between disruption and resilience often comes down to whether an organization can:
- Anticipate threats before they materialize
- Understand adversary behavior and intent
- Act on intelligence in a timely and coordinated manner
Without that, organizations are left reacting, often too late.
Closing Thought
Supply chains were designed for efficiency. They now need to be designed for resilience.
Cyber risk is the driving force behind that change.
If there is a takeaway from this discussion, it is that organizations must move beyond viewing cybersecurity as a protective layer and begin treating it as a strategic enabler of operational continuity.
My full article appears in In Supply Magazine (Issue 2, March/April 2026), pages 19–21.
#CyberSecurity #SupplyChainRisk #CyberRisk #ThreatIntelligence #Resilience #ThirdPartyRisk #RiskManagement #CISO #ExecutiveLeadership
