2 Forces: Supply Chain Mgmt. & AI

 

Two forces are reshaping enterprise risk and performance at the same time. AI is accelerating decision-making and automation while supply chains are becoming more digital and therefore more exposed through third parties. These aren't separate conversations. As organizations embed GenAI into workflows, they also expand their dependency on vendors, platforms, models and data pipelines they don't fully control. The result is a single leadership mandate: scale AI and supplier ecosystems with governance that is continuous, risk-based and operational so that innovation doesn't outpace trust.

 

AI is Dominating Every Conversation — But Governance Must Catch Up

AI has moved from experimentation to expectation and most organizations are adopting faster than they are governing. Early wins with GenAI are real but so are the exposures. These include uneven data quality, unclear accountability and a growing reliance on third parties whose controls we don't fully see. Generative AI are only one slice of enterprise AI, often deployed selectively; the bigger story is the gap between enthusiastic adoption, advancing agentic technology and disciplined risk management at scale.

• Keep humans in the loop by design. "Human-in-the-middle" isn't a temporary workaround, it's the control plane for context, judgment, and accountability.
• Trust is the constraint. Successful AI programs clear the hard hurdles first: data quality, scalability, bias, model reliability, and reproducibility.
• Control and visibility will consolidate around an "LLM mesh." Centralizing access to model services enables consistent safeguards (like PII redaction), usage logging, performance monitoring, and cost tracking across teams.
• Invest where AI becomes operational not just experimental. Prioritize enablement in:
• MLOps + AIOps: integrate models into governance and continuously improve the health and security of the infrastructure they run on.
• RAG governance: ensure retrieval is relevant, authorized, and auditable – the difference between a helpful copilot and a confident hallucination.
• Synthetic data plus federation: expand training and testing safely while preserving context and reducing unnecessary exposure of sensitive data.
• Threats are already here – Model exfiltration, prompt injection, data poisoning, model tampering and AI supply-chain compromise are practical, not theoretical, risks.
• Security basics still win, apply them to AI. Secure credentials, treat agents like human users, monitor behavior and use time- and task-bound tokens to reduce blast radius.
• Scaling is the problem and it shows up in familiar ways:
• Many demos, few durable outcomes.
• Clear market appetite, but uneven maturity and safety in deployment.
• Early friction with data controls, access, and auditability.
• AI technical debt accumulates quietly. Weak data lineage, shifting behavior patterns (including fraud), and silent model degradation can erode outcomes long before anyone notices.
• Where AI earns its keep: automation, contract comparison (penalties/credits), SLA variance reporting, stronger vendor vetting loops, and help closing persistent skills gaps.
• Next, agentic AI will supplement prediction, correlation, and message delivery but only if we constrain autonomy with clear permissions and measurable guardrails.

 

Supplier Risk Is Now a Top Breach Driver—And We're Treating It Like Paperwork

Supply-chain and third-party attacks scale. That is precisely why they now rival and often surpass ransomware as a primary enterprise threat vector. When a vendor is compromised, risk doesn't stay with the vendor, it transfers to the enterprise that depends on them. Yet many programs still rely on periodic questionnaires and point-in-time attestations, even as the digital ecosystem shifts weekly. The result is predictable: incomplete assessment coverage, slow remediation, and cascading impact when something goes wrong.

The fix is not a single tool, its leadership intent, enforceable governance, and operational integration.

• Assume third-party risk is first-party risk. It affects brand trust, regulatory exposure, and resilience just as directly as internal failures.
• Risk transfers regardless of ownership. If a vendor runs a critical workflow, their incident becomes your incident operationally and reputationally.
• Questionnaires are necessary but insufficient. Move from annual paperwork to continuous, intelligence-led oversight that reflects how vendors actually operate.
• Build a program that runs continuously. Align tiering, monitoring, and response to enterprise risk strategy not procurement cycles.
• Leadership intent determines maturity. Sustainable outcomes require commitment to governance, funding, and the unglamorous foundational work.
• Treat vendor incidents as enterprise incidents. Pre-integrate escalation paths, containment playbooks, and communications so response time doesn't start at contract review.
• Identity, access, and monitoring reduce blast radius. Enforce least privilege, segment access, and log activity across third-party integrations.
• Make governance risk-based and enforceable. Tier vendors by criticality; require contractual security outcomes (SLAs, audit rights, verification); and define escalation tied to operational impact.
• Prefer independent validation over self-attestation. It improves confidence in control effectiveness and produces defensible evidence for customers, regulators, and leadership.
• Embed supplier risk into existing operating rhythms change management, awareness, and SDLC so it becomes durable, not episodic.
• Policies and process are foundational; tools should amplify discipline, not replace it.
• Threat intelligence and IT operations belong together shared asset inventories and access controls make monitoring actionable.

 

Journey Through Asia: Reflections, Lessons & the Power of Family

Arriving in Tokyo always brings a sense of order and discipline, but this time it felt even more pronounced. Like many long international flights I've taken, we landed under the cover of darkness nearly 24 hours after leaving home—with only carry-on bags to stay nimble for a three-country journey in under three weeks.

Returning to Tokyo after almost a decade was both nostalgic and refreshing. Instead of staying in the heart of the city, we opted for an Airbnb an hour outside the capital. A quaint two-story flat with all the essentials and a few quirks we've learned to embrace when traveling. This time, it was the cruise-ship-sized shower on the second floor and the red-painted walls on the first that made work Zoom calls interesting. Still, the location gave us an authentic slice of suburban Japan and made our visits to the Samurai Museum, Sensō-ji Temple, and a traditional & memorable tea ceremony even more special.

One unexpected highlight: stamp collecting. Various places we went — from temples to train stations with each stamp felt like a small treasure. And of course, the ever reliable 7-Eleven became our go-to for late-night snacks, essentials, and TikTok-famous treats the kiddos were eager to try. Their willingness to sample local packaged meals was a small joy in itself.

From there, we journeyed to Kyoto and Osaka on the bullet train cruising at 150mph. We witnessed and experienced everything from the world's busiest crosswalk to majestic castles, exceptional sushi, and surprisingly delicious Japanese curry. Yet even with Japan's legendary order and efficiency, navigating train transfers proved challenging. Thankfully, my daughters took the lead from backtracking storage lockers to multi-line transfers while I hit my limit without knowing the language.

With clean clothes running low, we welcomed our next stop, Manila, for dry cleaning services. We expected but came to reality the drastic variance of wether changing fro 20 degrees Warner with just a 4 hour flight southward. After navigating traffic reminiscent of LA rush hour despite landing after 10 p.m. we arrived in a beautifully crafted Airbnb south of the city. From custom woodwork to a modern kitchen and a sunlit upper deck, it was a warm welcome. Our host's generosity, from freshly made morning coffee to lending his vehicle, allowed us to explore local neighborhoods with ease.

This visit felt different from my business trip 13 years earlier. This time, it was all about family, our "Asia Extravaganza," as we coined it when we decided to take this trip 7 months prior to initial plans. This was due in part of more than 300 cousins across four generations reuniting on my mom's side. Imagining the few who couldn't attend only amplified the magnitude of the moment. The celebrations stretched into the week and continued with my dad's side of the family, smaller in number but overflowing with gratitude, stories, and a shared sense of pride.

Understanding the local language made every conversation richer, especially when contrasted with Japan and later Bangkok, where cultural similarities were familiar but language barriers more pronounced. Across these countries, the influences of history, economics, and regional culture whether Chinese or Indian were evident.

Bangkok brought its own energy being vibrant, spiritual, and dynamic. From temples and Buddhas proudly on display to the Sky Tower (the Hangover filming location we recognized), a duck boat ride through Lumphini Park, and Muay Thai at Rajadamnern Stadium, the city delivered one experience after another. We even met a local student eager to practice English, offering insider tips on lesser-known temples which was an exchange that inspired us to pay it forward even more so when we get back home.

Of course, no trip to Bangkok is complete without a canal boat ride and a Tuk-Tuk adventure. And the Grand Palace and sacred Buddha temples offered a breathtaking reminder of Thailand's cultural soul.

Now, writing during an unexpected delay in Hong Kong (my first visit here). I'm taking advantage of the downtime to journal. My sister brought my folks across the globe and now it's our turn to bring them home. They're ready for their own beds, familiar routines, and the comforts of home after two months.

Leadership has taught me many things, and communication remains at the center of them all. In travel as in business clarity matters. As I wait for updates from our gate crew, I'm reminded how essential communication becomes, especially in unfamiliar surroundings. Through every step of this journey, my compass and soulmate and two daughters have been right there with me, exploring countries they're seeing for the first time.

Quick debrief…

• Family is the strongest anchor. Whether across a table or across continents, it's the connections that matter most.

• Cash is king abroad. Local currency remains essential, no matter how digital we've become.

• Pay it forward. Advice, kindness, local insights, small gestures shape meaningful experiences.

• We prefer structured agenda. While we enjoy the spontaneity of travel, this trip reaffirmed that a well-planned itinerary is our natural rhythm.

• Stay adaptable. From train stations to flight delays, flexibility is a powerful skill.

As we watch the United Airlines app, strategize backups for our now-uncertain LAX connection, and accept that a PTO day may be sacrificed to maintenance delays, one thing remains clear: this adventure has been priceless. 

And I can't wait for our next family journey.

Making Cyber Risk a Company-Wide Priority

SINC Fireside Chat: Security Is Everyone's Job: Aligning Cybersecurity and Business Through Leadership and Trust. Aligning Cybersecurity and Business Through Leadership and Trust. Cybersecurity isn't just about protection but instead about performance. When security is embedded into the organization's fabric, aligned with business objectives, and championed by leadership, it becomes a catalyst for growth, resilience, and mission success.

Cybersecurity is a Business Imperative

Boards and executive leadership increasingly recognize cybersecurity as a core business risk. Awareness is high, but execution gaps remain. Regulators and investors expect demonstrable governance, transparency, and effective cyber programs that protect revenue, enable strategic initiatives, and preserve brand trust.

The most mature organizations treat cyber risk as enterprise risk. Risks are measured, prioritized, funded, and owners are held accountable to the  business. Frameworks such as NIST CSF and CIS Controls offer practical structures to operationalize these principles.

Governance turns to Execution

Cybersecurity governance must extend from the board to the CEO, CISO, CIO, and business leaders. Integration starts with:

1. Incoporating security into workflows — embedding controls into product development, procurement, onboarding, and vendor intake.
2. Ensuring security habitual — through frictionless solutions such as single sign-on, passwordless access, automated patching, and secure defaults.
3. Defining role-based responsibilities — integrated into job descriptions and performance reviews.
4. Delivering contextual learning — just-in-time nudges within email and collaboration tools.
5. Embedding security champions — within business functions like engineering, HR, and sales to act as internal service partners.

Risk Translated into Business Terms

Start with a value map connecting critical business assets revenue streams, intellectual property, and customer data to that of cyber controls. Define risk appetite and thresholds to clarify acceptable downtime or data loss. Translate these into measurable KPIs such as:

• Percentage of revenue-impacting systems patched within SLA
• Mean time to detect and remediate incidents
• Frequency of resilience and recovery tests passed
• Risk exposure and ROI of cyber investments
• Third-party assurance levels for critical vendors

Measurements that show business impact and risk trend lines help leadership make informed, strategic decisions.

Quantifying and Communicating Risk

Adopting Cyber Risk Quantification (CRQ) enables leaders to evaluate potential financial impacts: lost revenue, remediation costs, fines, and compare them with other enterprise risks in a shared business language.

Run tabletop exercises that use these quantified scenarios to prepare the board for tradeoffs, investment decisions, and communication strategies. Brief leadership concisely — focus on scenario impacts, not technical detail.

Embed cyber oversight into board committee charters (audit, risk, or dedicated cyber committees) and establish standing agenda items for top risks, readiness, and compliance updates. Use leadership pipelines to influence vendors, reinforce supply chain security, and restore customer trust after incidents.

Build a Culture of Security

Technology without culture is brittle. Sustainable resilience depends on the synergy of People, Process, and Technology. An emphasis my co-presenter established which each reinforcing the other.

• People are the first line of defense and most vital element to maturity and success. Leadership must model secure behavior and psychological saftegy, reward good security habits, and foster psychological safety where employees report issues without fear of blame. 
• Process provides structure and balance between the other pillars. Embed security governance into workflows, performance measures, and decision-making routines across business functions.
• Technology amplifies capability and supports the structure built. Invest in frictionless, adaptive solutions that enable security by design and reduce complexity for users.

Together, these pillars create a resilient ecosystem where security becomes second nature not a separate discipline.

Measuring Readiness

Run annual board-led tabletop exercises to test decision-making and communication readiness. Track key indicators such as time-to-decision, time-to-public communication, and exercise frequency. Maintain pre-approved playbooks for communications, legal response, and escalation paths.

Leadership should:

• Approve the top 5-10 enterprise cyber risks and risk appetite definitions.
• Endorse funding for a CRQ pilot and prioritized CIS Controls implementation.
• Commit to an annual tabletop exercise and a monthly top-risk dashboard.

Conclusion

It's an honor to help empower cybersecurity and business leaders with strategies that transform technical risk into business urgency and position cybersecurity as a true business driver.

A modern take on the Security "CIA Triad" extends beyond confidentiality, integrity, and availability to include:

• Communication — telling the "why" story that resonates across the enterprise.
• Integration — fostering genuine, enterprise-wide partnership.
• Adaptation — driving innovation to advance the organization's mission.

This discussion extends and deepens the conversation around cybersecurity as a business imperative. A leadership discipline that drives trust, resilience, and competitive advantage.

Software Supply Chain in Crisis

CISO panel discussion at Cyber Defense Conferences on evolving third-party and AI supply chain risks

Third-party and software supply chain threats are escalating in complexity and frequency, driven by trusted access, automation, and the rapid adoption of AI. Traditional governance models reliant on static assessments and siloed controls are no longer sufficient. A shift toward continuous, integrated, and behavior-based security is imperative.

Key Insights

• Fundamentals still matter
  Core security principles including strong credentials, least privilege, layered defenses, and Zero Trust Architecture (ZTA) remain foundational. These principles must extend across third-party ecosystems.
• Third-Party risk is a growing threat vector
  Attackers exploit trusted relationships, leveraging vendor access, CI/CD credentials, and automated update pipelines to bypass controls. The software supply chain remains fragile due to fragmented ownership across AppSec, CloudSec, and Vendor Risk.
• AI-Native Dependencies Expand the Attack Surface
  AI vendors introduce opaque models, broad API integrations, and sensitive data flows. This creates new risks: model tampering, data leakage, and abuse of delegated access.
• Velocity Outpaces Governance
  The scale and speed of modern development particularly with GenAI have outstripped traditional security and compliance models. Manual vetting can no longer keep pace.
• Nation-state and ransomware threats converge
  Adversaries increasingly target SaaS and developer ecosystems for espionage, disruption, and extortion. Supply-chain compromise offers persistent access and high-leverage impact.

Strategic Actions

1. Modernize vendor governance
   Transition from static questionnaires to continuous trust models. Require SBOMs, runtime attestations, CI/CD hygiene evidence, and enforce phishing-resistant MFA and rapid credential revocation.
2. Institutionalize continuous validation
   Adopt CTEM-like models for third-party and supply chain risk. Automate dependency scanning, runtime enforcement, and least-privilege enforcement for connectors and APIs.
3. Govern AI-generated code
   Implement CI policies requiring AI-generated code to be flagged, scanned, and reviewed especially for critical modules. Make this process auditable and enforceable.
4. Prepare for supply chain campaigns
   Develop cross-functional incident playbooks. Simulate package compromise scenarios, enforce CI runner isolation, and ensure rapid token rotation and rollback capabilities.
5. Unify ownership across domains
   Assign a supply-chain risk owner e.g., CISO, Legal, and IT lead) with authority to enforce cross-team controls. Align SLAs and runbooks across AppSec, DevOps, CloudOps, and Vendor Risk.

Securing today's dynamic and delicate supply chain eco-system demands more than tools but a strong third-party risk management program rooted in risk-based tolerance approach through execution of  enterprise-wide partnership, trusted vendor relationships, and continuous validation. Next up, 4th-parties...