May’s #InfosecLunchHour brought together a wonderfully diverse group of cyber security professionals, risk specialists, GRC experts, digital forensics practitioners, and security advocates for a conversation that was both technically sharp and refreshingly honest. The topic was proposed by regular lunch hour group attendee James Bore who had also come prepared with real experience to share: supply chain security, and the uncomfortable gap between what organisations think they know about their suppliers and what they actually do.
Under Chatham House Rules, the discussion that followed ranged from practical assessment methodology to regulatory developments, from single points of failure in the marine industry to a copper tablet complaint from 4,000 BC. As ever, it was the kind of conversation that reminds you why this community exists.
Setting the Scene: Why Supply Chain Security Is Still Unsolved
The session opened with James framing the challenge. Despite years of effort, supply chain attacks remain a significant and growing problem. Organisations have introduced questionnaires, risk management platforms, surveys, and third-party assessments, but the fundamental question persists: do we actually know what risk our suppliers introduce?
James drew an important distinction early on between supply chain security and third-party risk management. These are not the same thing. Third-party risk management is broadly about managing the relationship with vendors. Supply chain security is about proportionately reducing the risk that a supplier introduces into your environment, acknowledging that elimination is rarely achievable. That framing shift matters, because it changes what questions you ask and how you prioritise your effort.
James also mentioned that a public consultation on guidance he has developed for Ofgem will be released at the end of the month, with further interventions potentially following depending on the outcome of relevant legislation.
The Scaling Problem Nobody Talks About Enough
One of the most striking contributions came from a participant who shared direct experience of the sheer operational challenge of supplier assessment at scale. At one organisation, it took two years and a team of thirty information security consultants to assess just 88 shadow IT suppliers. At another large public sector body, the same timeframe was spent assessing 100 suppliers. The problem? That organisation has 800 tier one suppliers.
The numbers land hard. Manual assessment does not scale. This is not a failure of effort; it is a structural problem. The group explored how the sector has been moving, slowly and unevenly, from point-in-time assessments toward continuous monitoring throughout the supplier lifecycle. Several participants agreed this is the right direction, but that most organisations are still struggling to manage their direct suppliers before they can even begin to think about the layers beneath.
One participant described a platform approach that attempts to address this: automated discovery of supplier assets, attack surface analysis, OSINT-based vulnerability scanning, correlation through a threat intelligence platform, and a supplier-facing portal where vendors can log in, see what has been found, and act on remediation guidance. The compliance completion rates achieved through this model were notably higher than manual approaches, driven, as one participant put it, largely by FOMO.
Who Counts as a Critical Supplier?
A thread that ran through much of the discussion was the problem of criticality classification. Many organisations default to financial spend as a proxy for risk. Spend a lot with a supplier, they must be critical. Spend a little, they are probably fine. The group was unanimous that this logic is flawed.
One participant described a case where a small port services worker had unsecured network access that, if exploited, could have caused significant disruption. Another described the classic example of a fencing contractor whose systems, when compromised, inadvertently revealed the locations of sensitive Ministry of Defence sites because of where fences had been shipped. The common thread: the risk is not in the invoice value. The risk is in the access, the data, and the potential for disruption.
A participant highlighted that integrating security posture into supplier criticality scoring, rather than treating it as a separate exercise, is the right approach. This connects directly to business impact assessments, which several contributors felt should be the foundation that supplier risk classifications are built upon, not an afterthought.
One participant noted that the embedding of AI into supply chains compounds this further. Tracking how data is processed across suppliers is already complex. When those suppliers are themselves using AI models trained on or interacting with your data, the question of where your fourth or fifth-party risk actually sits becomes very difficult to answer with confidence.
The Tick-Box Problem and the Question of Verification
Several participants raised a concern that will be familiar to anyone who has spent time in compliance: the risk that regulatory requirements produce the appearance of assurance without the substance. When questionnaires are sent to suppliers, organisations often lack the resources to verify whether the answers are accurate. Suppliers know this. The result can be responses that satisfy the form without reflecting reality.
One participant described a particularly striking example: a supplier that had achieved Cyber Essentials certification but was found, through external scanning, to have a server with over 17,000 open ports. They technically held the certification. They clearly did not meet the firewall requirements underpinning it. When the data was brought to the relevant certification body, it prompted what was described as an interesting conversation.
The group did not conclude that certification is worthless. Rather, certification tells you something, but it does not tell you everything, and treating it as sufficient is where organisations get into trouble.
ISO 27036, DORA, and the Standards That Could Help
One participant asked how many people in the group were actively using ISO 27036, which covers information security for supplier relationships, including guidance on vendor selection, contractual requirements, and exit strategies. Awareness varied. Several participants felt it was underused, particularly as DORA requirements come into force for financial sector organisations and bring with them obligations around comprehensive supplier lifecycle management, technical assessments, and documented exit strategies.
The group discussed how ISO 27036 can operate as a useful complement to ISO 27001, helping organisations think more systematically about third and fourth-party considerations, criticality reviews, and single points of failure. One participant highlighted that for organisations with constrained budgets, the NIST supply chain risk management standards mapping document offers a comparable framework without requiring investment in full ISO certification.
A further contribution drew on the concept of technical debt: the legacy systems, outdated infrastructure, and vulnerable platforms that persist throughout supply chains because no single organisation has the resources or mandate to address them. One participant proposed the idea of a socio-technical cyber levy, which would create a mechanism for funding security improvements across the ecosystem rather than leaving the burden entirely with individual organisations.
The Historical Long View
In a moment that brought a welcome lightness to the discussion, it was pointed out that supply chain compromise is not a modern problem. The earliest recorded complaint about a supplier failing to deliver goods to specification dates to approximately 4,000 BC, involving a copper merchant in ancient Mesopotamia. As one participant observed, it has taken over 6,000 years to get back to the same problem and find that very little has fundamentally changed.
The reference served a useful purpose beyond the laugh it generated. Supply chain risk is not a technology problem with a technology solution. It is a human, organisational, and trust problem that technology can help manage but cannot resolve on its own.
A Practical Framework Worth Considering
Towards the end of the session, James offered a simplified risk framing that several participants found useful. Rather than beginning with certifications and questionnaires, start with two questions: what level of access does this supplier have to our systems or data, and if this supplier were compromised or disappeared tomorrow, how quickly and easily could we recover?
Suppliers that score low on access and high on replaceability are commodity relationships. They warrant a baseline level of diligence, but not intensive ongoing assessment. Suppliers that score high on access or low on replaceability are where concentrated effort should go. This does not replace more detailed assessment, but it offers a triage lens that can help organisations decide where limited resource should be directed first.
The point about incident response planning also resonated with several participants. Knowing that a supplier is critical means having a tested plan for what happens when something goes wrong with them, not just an annual questionnaire confirming that they say their systems are secure.
Closing Reflections
The conversation closed with acknowledgement that supply chain security is not a problem that gets solved. It is a problem that gets managed, incrementally, imperfectly, and with constant reassessment as the landscape shifts. The organisations that do it well are not necessarily the ones with the most sophisticated platforms or the longest supplier questionnaires. They are the ones that have thought carefully about what they are actually trying to know, what they can realistically verify, and where the genuine risk lies.
Thank you James for proposing and leading the topic, and to everyone who joined and contributed. The depth and generosity of this community never ceases to amaze me, and I am very proud to be a part of it.
The next #InfosecLunchHour takes place on Wednesday 3 June 2026 at 12:30pm. If you would like to join a group of cyber and Infosec professionals for some relaxed chat over lunch, please contact me via lisa@unitysolutions.org.uk to be added to the calendar invite.
#InfosecLunchHour is a free, open, community networking event hosted by Lisa Ventura MBE FCIIS. All discussions take place under Chatham House Rules: participants may use information shared in the meeting but may not attribute it to named individuals or organisations.
