The scale of the problem was the first thing that hit. When you're dealing with 15,000 or more vendors and suppliers, the idea of securing your supply chain stops feeling like a process and starts feeling like a maze. And yet, here we are.

Some of the major attacks this year, F5, NPM, JLR, are a reminder that this isn't a theoretical risk. What makes it harder to stomach is that many of the entry points being exploited are ones we've been talking about for 10 to 15 years. The basics still aren't being done.

A big part of why is that most companies approach supply chain security purely as a compliance exercise. And as the speaker made clear, being fully compliant doesn't make you safer. Ticking boxes and genuinely reducing risk are two very different things.

So where does it actually break down? Three challenges kept coming up.

The first is ownership. Supply chain risk often lives with procurement or a risk pillar within finance, not with IT or cyber. That means CISOs don't get much control over something that directly affects their security posture. The second is getting suppliers to actually improve. The answer isn't dumping them with 100 things to fix or sending them a score with no context. It's being specific, telling them the three things that matter most, and understanding their pain points. The third is continuous monitoring, which sounds like a massive task, because it is.

The NCSC's principles for supply chain security offer a useful frame here: visibility first, then establish control, then improve risk. The practical version of that is breaking down your vendors, identifying where the biggest risks to your organisation actually sit, and putting your effort there. Attackers are always looking for the weakest link in the chain, so it's worth spending time tearing it down yourself to see what falls where.

On the monitoring side, the goal is collecting data better and faster than attackers can, building an external picture to footprint your supply chain. One honest observation from the talk was that in third party risk management, too much effort goes into managing risk on paper and not enough into actual remediation.

The mindset shift that stuck with me most was this: treat your vendors' security posture like your own. Third parties generally want to do the right thing because they want to keep your business. The problem is they often don't know how, don't have the resources, or have outsourced in ways that create gaps. The answer isn't writing them off. It's telling them specifically what they need to fix.

And when you're dealing with a large number of third parties, the only realistic way to get visibility is through automation. Tier your suppliers by priority and risk, then set up monitoring the same way a SOC would. Structure brings control, and control is where supply chain security actually starts.

These are my notes from the session, not a transcript. If you were there and see it differently, or have thoughts, drop a comment below! :)