As enterprises accelerate digital transformation, a growing share of cybersecurity risk stems not from internal systems but from partners, vendors, and third-party providers. Experts warn that fragmented supply chains, cloud adoption gaps, and AI-driven threats are creating dangerous blind spots.
Kavitha Mariappan, Chief Technology and Experience Officer (CTxO) at Rubrik, told iTNews Asia that many organizations lack visibility into their third-party ecosystems, leaving inconsistent access controls and weak vendor security hygiene unchecked. Too often, risk management is reduced to annual compliance surveys rather than continuous monitoring.
Cloud migration has compounded the challenge. Many companies wrongly assume security responsibilities lie solely with providers. In reality, shared responsibility models mean enterprises must secure configurations, access controls, and data — particularly when third parties are involved.
The rise of generative AI (GenAI) further intensifies the risk. Threat actors are using AI to create highly targeted phishing campaigns, impersonate executives, and exploit vendor service desks. Even benign AI adoption can inadvertently expose confidential data if tools store or re-use proprietary information for training purposes.
To strengthen resilience, Mariappan highlighted several priorities:
- Vendor ecosystem mapping: including “fourth-party” dependencies using Software Bills of Materials (SBoMs).
- Continuous verification: shifting from trust-by-default to ongoing access validation and telemetry-based anomaly detection.
- Threat modeling and risk scoring: simulating attack paths through third-party environments and updating risk profiles dynamically.
- Resilient recovery: maintaining immutable, air-gapped backups, third-party-inclusive incident playbooks, and Zero Trust enforcement across extended supply chains.
Looking forward, Mariappan pointed to Agentic AI as a frontier technology that could both accelerate incident response and introduce new risks if not governed effectively.
“Identifying weak links is no longer enough,” she said. “We need to model how attacks might spread through supply chains and respond before damage is done.”
Source:
