As enterprise digital ecosystems become more complex and interconnected, one reality is becoming increasingly clear: the greatest cybersecurity threats may no longer come from within, but from partners, vendors, and third-party service providers.
In conversation with iTNews Asia, Kavitha Mariappan, Chief Technology and Experience Officer (CTxO) at Rubrik shared a stark warning that many organisations are dangerously blind to the true risks embedded in their supply chains, and it’s time for security and business leaders to take a more proactive, resilience-driven approach.
“Supply chains are inherently fragmented, and most organisations lack visibility into their third-party ecosystems,” Mariappan said. Inconsistent access controls and poor security hygiene are often observed in vendors, turning them into high-risk entry points.
Despite growing awareness of supply chain threats, many companies still treat third-party risk management as a compliance checkbox. Security attestations are often limited to annual surveys or outdated documentation, a practice that leaves glaring vulnerabilities unaddressed.
“Too many third-party assessments are superficial, and there’s limited appetite or bandwidth for in-depth audits,” she noted.
Another common blind spot is the assumption that migrating to the cloud automatically shifts all security responsibility to the provider. In reality, cloud platforms operate under a shared responsibility model, meaning enterprises must secure their own configurations, access controls, and data especially when third parties are involved.
“Security practices haven’t kept pace with cloud adoption,” Mariappan explained. “Without evolving access control and visibility frameworks, critical gaps remain and attackers know how to exploit them.”
The evolving threat posed by AI
Adding fuel to the fire is the rise of AI-powered attacks, particularly those using generative AI (GenAI). Threat actors, including nation-state groups, are exploiting GenAI to craft highly sophisticated phishing campaigns, impersonate executives through voice synthesis, and launch targeted social engineering attacks on third-party service desks and suppliers, often the weakest links in the chain.
“These attacks aren’t always aimed directly at the enterprise,” the CTxO explained. “Instead, they’re going after third-party support teams or OT vendors who hold the keys to critical infrastructure. GenAI makes it easier than ever to launch these attacks at scale, across geographies and languages.”
She further explained that even non-malicious AI adoption poses risks. As organisations rush to integrate AI tools to boost productivity, many fail to examine how these tools process, store, or even re-use proprietary data. Confidential business data could be used to train external AI models, effectively resulting in its leakage into the public domain.
Visibility is power, but hard to achieve
With today’s digital landscape, data and access no longer stay confined within an organisation’s walls. Enterprises rely on a web of cloud-native platforms, third-party integrations, and SaaS tools. This complexity makes it difficult to know where sensitive data resides or who can access it.
To tackle this, Mariappan advocated for a comprehensive mapping of the vendor ecosystem, including “fourth-party” dependencies. Tools like Software Bills of Materials (SBoMs) can offer transparency into the software supply chain, highlighting components and their origins.
Additionally, organisations must implement shared visibility with partners, continuous access control validation, real-time telemetry to flag anomalies and eventually shift from “trust by default” to “continuous verification”.
Identifying weak links is no longer enough. We need to model how attacks might spread through supply chains and respond before damage is done.
- Kavitha Mariappan, Chief Technology and Experience Officer (CTxO), Rubrik
This is where continuous threat modelling and automated vendor risk scoring come into play. These tools simulate attack paths through third-party environments and dynamically adjust risk profiles based on behavioural signals, not outdated surveys.
She also noted that these tools are only as effective as the culture and workflows that support them. The CTxO emphasised that organisations must embed these capabilities into operational processes, turning cyber resilience into a business mandate, not just a security initiative.
Importance of a resilient recovery strategy
A resilient recovery strategy goes beyond simply restoring systems after a cyberattack. It’s about ensuring the business can bounce back quickly, securely, and with minimal disruption.
This involves having immutable, air-gapped backups to safeguard critical data, well-defined incident response playbooks that include third-party coordination, and robust threat containment measures to prevent reinfection or lateral movement. It also requires enforcing Zero Trust principles across the extended supply chain, continuously verifying every access request, even from trusted vendors, she explained.
Critically, recovery readiness must be validated through regular simulations and tracked against key metrics like Recovery Point Objective (RPO) and Recovery Time Objective (RTO), ensuring that organisations can not only limit operational downtime but also maintain data integrity and preserve stakeholder trust in the wake of a supply chain breach
Looking ahead, Mariappan pointed to Agentic AI, adding that AI systems are capable of making autonomous decisions as a frontier technology with massive implications for supply chain security. These agents can accelerate response to cyber threats, but they also introduce new operational risks if left unchecked.
“Current observability tools can show what happened. But they don’t always show why or how to undo it. That’s the next evolution in AI governance,” she said.
