supply chains

CISOs face a barrage of vendor pitches and rely on targeted questions to identify products that solve real business security problems with clear ROI. They favor vendors who understand specific organizational needs, promote tools that reduce workload, integrate seamlessly, and are transparent about costs and updates. Credibility is built through validated outcomes, real-world examples, and responsiveness to customer input, while vague claims, fear tactics, unnecessary buzzwords, and inflexible pitching are immediate red flags.

https://www.csoonline.com/article/4059801/5-questions-cisos-should-ask-vendors.html

Summary: The article discusses the enduring issues of software supply-chain security, highlighting a recent major attack on open source software through the XZ project. It reviews the history of software vulnerabilities, the consequences of supply-chain attacks, and the need for improved security measures such as authentication, vulnerability scanning, and the adoption of safer programming languages. The importance of funding open source projects to prevent security weaknesses is emphasized, drawing parallels to past incidents like Heartbleed. The author advocates for ongoing efforts to bolster defenses against potential attacks, as many fundamental security challenges persist in the industry.

https://cacm.acm.org/practice/fifty-years-of-open-source-software-supply-chain-security/

Cyberattacks on IT vendors are escalating, resulting in significant financial losses, according to a Resilience report. In 2024, 23% of cyber insurance claims involved third-party breaches, causing operational disruptions and high costs, exemplified by UnitedHealth's $3.1 billion ransomware attack. Ransomware is still the leading cause of cyber claims, but attackers are shifting focus to larger targets for bigger payouts.

https://www.ciodive.com/news/vendor-driven-cyberattacks-losses/741686/