Many organisations still lack visibility into their digital supply chains, leaving serious vulnerabilities despite rising incidents and new regulations like NIS2, SEC rules, and DORA. Most companies will know who they’ve signed contracts with. But ask for a full list of every software dependency, API integration, cloud platform, or open-source library that handles sensitive data, and you’re met with silence. That silence is dangerous and points to a lack of due diligence and cyber hygiene control.
That is because today’s supply chain is no longer a linear string of vendors; it’s a sprawling and complex ecosystem of services, platforms, and hidden interdependencies. When one of those links’ breaks, the damage doesn’t stop at the firewall. Just ask those caught in the fallout from SolarWinds, MOVEit, Log4j or even the CrowdStrike misconfiguration outage. In each case, a single compromise or misconfiguration rippled outward, impacting thousands of downstream businesses that didn’t have proper visibility of their supply chain vulnerabilities. Trusting your suppliers is one thing, knowing your risk exposure, potential impact, and resilience is entirely different.
Despite the high-profile nature of these security or configuration incidents, many boards still underestimate supply chain cyber risk, or worse, assume it’s already under control or can be managed by contractual SLAs alone. It’s not a blame game though. This isn’t about complacency, it’s just a blind spot, and it is there because traditional risk models weren’t designed for modern complexities. Most organisations still treat third-party security as a procurement checkbox or annual audit exercise rather than what it truly is: a live, dynamic attack surface. What is complacent is thinking this is a small technical challenge that CISOs can quietly fix. On the contrary, it is a strategic threat to business continuity, customer trust, and regulatory compliance, but when managed well, it can become a business differentiator.
The supplier ecosystem is much bigger than you think
In cybersecurity, the term “supplier” has outgrown the contract. It now includes the SaaS platforms you rely on, the cloud infrastructure running behind the scenes, the open-source code embedded in your software, and the fourth-party vendors supporting your third-party vendors. It’s a digital chain of custody, and every link in that chain is a potential exposure point. The problem is that few organisations have a true understanding of their supplier ecosystem or have fully mapped the supply chain. They see the tip of the iceberg such as the signed agreements and the due diligence spreadsheets, but not the dependencies lurking just beneath the surface.
This is often where traditional third-party risk programmes fall short. They focus on procurement, not proximity. Risk is usually measured in terms of who you buy from and the value of the transactions instead of who has access to systems, data, or customer information. And yet, it’s these hidden interdependencies that attackers exploit. A compromised API in a marketing tool; a vulnerability in a widely used open-source library; a cloud provider misconfiguration that leaves customer data exposed. These are recurring headlines. If you can’t see the full digital blast radius of your ecosystem, you can’t secure it. And if you can’t explain that risk in business terms, you won’t get the support needed to manage it.
What the boardroom still doesn’t see
For most boards, third-party risk is seen as the CISO’s responsibility, rather than a company-wide concern. That’s not because they don’t care; it’s because no one has translated the technical complexity into “impact” or consequences they can relate to. Boards don’t need a list of vendors or a rundown of which open-source components are being used in which systems. They need to know what happens if one of them fails. What’s the potential fallout and impact? How many customers are likely to be affected? What will the cost be in terms of downtime, trust, or compliance exposure? Until those answers are clear, ecosystem risk remains abstract, and to be fair to boards, “abstract” is hard to prioritise.
So, security teams hit a wall. They’ve done the technical mapping, flagged the concerns, and run the assessments, but the message still doesn’t land. Why? Because it’s wrapped in language that hasn’t changed since it left the IT department. To make supply chain risk resonate at board level, it needs a story. A “what if” scenario grounded in the business’s actual operations. What if that small vendor supporting your invoicing system gets breached? What if the cloud provider running your analytics pipeline has an outage? What if the code library your product depends on gets hit with a zero-day? These are the conversations that move supply chain security out of the “nice to have” column and into the budget column.
Regulation without borders
Third party risk is now a matter of governance. Under frameworks like NIS2 and DORA, organisations are being held directly accountable for the cybersecurity posture of their digital supply chain. That includes suppliers, service providers, and in some cases, fourth parties. It’s not enough to run an annual assessment and file it away. These regulations demand continuous oversight, demonstrable due diligence, and, crucially, the ability to communicate risk exposure in a timely, transparent way. The financial penalties for non-compliance are hefty. For DORA, it’s up to €10 million or 2% of annual turnover depending on which is higher. But the reputational cost is also high.
But here’s where things get a little tricky: the regulatory landscape isn’t uniform. Global organisations must navigate a patchwork of obligations, from the SEC’s cyber disclosure rules in the US to GDPR enforcement in the EU, and region-specific mandates in Asia-Pacific. One spreadsheet for each region, or one audit per year, isn’t going to cut it. The smart move is to build a unified risk posture that aligns to the spirit of these regulations, not just the letter. Start with impact: which suppliers could disrupt your business if compromised? Which dependencies expose customer data or operational continuity? If you can answer those questions with confidence, compliance becomes a natural byproduct rather than a frantic box-ticking exercise.
Visibility was a luxury. Now it’s the foundation of security, control, and continuity in a sprawling digital economy.
Tim Grieveson is the chief security officer at ThingsRecon.
