As digital ecosystems grow more complex across Asia Pacific, supply chains have become deeply interconnected and increasingly exposed. Organisations are onboarding more suppliers, cloud providers and service partners than ever before, but risk visibility has not kept pace.
In conversation with iTNews Asia, William Oh, Head of Asia Pacific at BlueVoyant, shared insights on why traditional third-party risk management (TPRM) models are falling short and why the future of supply chain defence must be continuous, measurable and business aligned.
As outsourcing, cloud adoption, and digital partnerships accelerate, supplier ecosystems are expanding rapidly. But many TPRM assessments still operate on quarterly or annual cycles.
According to Oh, even organisations with mature TPRM programmes underestimate how fast supplier risk changes. “Maturity isn’t just having a process. It’s about continuously seeing what’s happening across your supplier ecosystem and focusing on the vulnerabilities that would really hurt your business,” he said.
One of the industry’s most persistent blind spots he pointed is its inability to measure whether remediation efforts actually reduce risk. As vendor ecosystems grow, teams often struggle to prioritise which suppliers pose the greatest business risk. Zero-day vulnerabilities within third-party environments further complicate the picture.
“The key to understanding risk presented by a zero day in a third-party ecosystem lies in the ability to quantify the risk, determine mitigations and implement those mitigations in a timely manner,” Oh said.
The problem with “TPRM Theatre”
Oh describes much of the current market as “TPRM theatre” where there is an over reliance on policies, questionnaires and dashboards that create optics of control without delivering true resilience.
He added that internal resistance, tool integration challenges, and inconsistent governance continue to hinder effective risk reduction. “Many organisations identify supplier risks but fail to act consistently.”
Meanwhile, threat actors are also exploiting trust relationships at scale, compromising managed service providers, software update mechanisms, and trusted credentials to gain indirect access to enterprise environments.
“Most companies feel that self-attestation of policies and point-in-time reviews are enough to mitigate risk. In reality, what is required is a continuous objective understanding of the third-party risk environment and mitigation strategies,” Oh explained.
Convergence of attacks
Supply chains are increasingly being used as indirect entry points into enterprises. Instead of attacking well-defended organisations directly, threat actors compromise smaller vendors, managed service providers, software update mechanisms or trusted credentials.
The rise in supply chain breaches isn’t driven by a single factor; it's a convergence of scale, exposure and visibility.
- William Oh, Head of Asia Pacific, BlueVoyant
He added that organisations are expanding their vendor ecosystems faster than risk teams can manage, while TPRM maturity and integration remain uneven. “That expansion alone creates a dramatically larger attack surface, and most organisations struggle to prioritise and govern that risk effectively.”
Also improved monitoring has revealed incidents that previously went undetected.
Continuous, quantified defense
For Oh, the next generation of supply-chain defense must move beyond self-attested reviews to continuous, objective monitoring. This includes monitoring third and even fourth-party dependencies, identifying vulnerabilities across supplier attack surfaces, and quantifying risk in a way that enables clear prioritisation.
He explained that organisations are now recognising supply-chain security is not purely a technical issue, but a business risk that must be managed strategically. Long-term resilience depends on stronger third-party risk programmes, closer collaboration with suppliers to remediate issues, and early risk detection through continuous oversight.
“Resilience comes from visibility and action across the supplier ecosystem, not just more tools or reports,” he added.
As more organisations outsource detection and analysis, Oh cautioned against relinquishing ownership of core risk decisions. The most resilient organisations treat outsourced services as an extension of their teams, while keeping governance, prioritisation, and decision making firmly in-house.
He described true integration of TPRM as embedding risk considerations at every stage of the supplier lifecycle, from vendor selection, contract negotiation to expansion and executive decision making.
“Executives should see supplier risk alongside financial and operational metrics. When risk insights influence real business decisions, TPRM becomes a strategic differentiator rather than a checkbox exercise,” he added.
The next frontier: Cyber risk ratings for vendors?
Looking ahead, Oh said more advanced TPRM solutions are now combining vulnerability enumeration with business risk factors to generate comparative risk scoring across suppliers.
These comparative scores could function similarly to a cyber “credit score,” helping organisations benchmark vendors before procurement, he explained.
While fully autonomous supply-chain defence systems remain a future ambition, Oh believes the direction is clear: continuous monitoring, quantified risk, and business-aligned governance will define the next chapter of third-party cyber resilience.
As APAC’s digital supply chains deepen, moving beyond checklists toward continuous, measurable defence may determine which organisations merely comply and which truly withstand the next breach.
