Software supply chain visibility has moved from a technical issue to a boardroom mandate, with CEOs taking notice of the business risks tied to insecure code. In this episode, Theresa Lanowitz of LevelBlue shares why visibility matters, who owns it, and how companies can act now to reduce risk and build resilience.
As digital infrastructure becomes increasingly interwoven with third-party code, APIs, and AI-generated components, organizations are realizing they can’t ignore the origins—or the risks—of their software. Theresa Lanowitz, Chief Evangelist at LevelBlue, joins Sean Martin and Marco Ciappelli to unpack why software supply chain visibility has become a top concern not just for CISOs, but for CEOs as well.
Drawing from LevelBlue’s Data and AI Accelerator Report, part of their annual Futures Report series, Theresa highlights a striking correlation: 80% of organizations with low software supply chain visibility experienced a breach in the past year, while only 6% with high visibility did. That data underscores the critical role visibility plays in reducing business risk and maintaining operational resilience.
More than a technical concern, software supply chain risk is now a boardroom topic. According to the report, CEOs have the highest awareness of this risk—even more than CIOs and CISOs—because of the direct impact on brand reputation, stock value, and partner trust. As Theresa puts it, software has become the “last mile” of digital business, and that makes it everyone’s problem.
The conversation explores why now is the time to act. Government regulations are increasing, adversarial attacks are intensifying, and organizations are finally beginning to connect software vulnerabilities with business outcomes. Theresa outlines four critical actions: leverage CEO awareness, understand and prioritize vulnerabilities, invest in modern security technologies, and demand transparency from third-party providers.
Importantly, cybersecurity culture is emerging as a key differentiator. Companies that embed security KPIs across all business units—and align security with business priorities—are not only more secure, they’re also more agile. As software creation moves faster and more modular, the organizations that prioritize visibility and responsibility throughout the supply chain will be best positioned to adapt, grow, and protect their operations.
Learn more about LevelBlue: https://itspm.ag/levelblue266f6c
Note: This story contains promotional content. Learn more.
Guest: Theresa Lanowitz, Chief Evangelist of AT&T Cybersecurity / LevelBlue [@LevelBlueCyber]
On LinkedIn | https://www.linkedin.com/in/theresalanowitz/
Resources
To learn more, download the complete findings of the LevelBlue Threat Trends Report here: https://itspm.ag/levelbyqdp
To download the 2025 LevelBlue Data Accelerator: Software Supply Chain and Cybersecurity report, visit: https://itspm.ag/lbdaf6i
Learn more and catch more stories from LevelBlue: https://www.itspmagazine.com/directory/levelblue
Learn more about ITSPmagazine Brand Story Podcasts: https://www.itspmagazine.com/purchase-programs
Newsletter Archive: https://www.linkedin.com/newsletters/tune-into-the-latest-podcasts-7109347022809309184/
Business Newsletter Signup: https://www.itspmagazine.com/itspmagazine-business-updates-sign-up
Are you interested in telling your story?
https://www.itspmagazine.com/telling-your-story
[00:00:00] Sean Martin: Marco,
[00:00:00] Marco Ciappelli: Sean
[00:00:02] Sean Martin: I saw you in a shirt the other day
[00:00:04] Marco Ciappelli: in a shirt
[00:00:05] Sean Martin: in a shirt, and on the back it had,
[00:00:07] Marco Ciappelli: one that I
[00:00:07] Sean Martin: it was a black one and it, it had all, all of your ingredients printed on the back. What all the things you were made of. And I won't, I won't disclose all of the, all the things that are inside you, but uh, let's just say there's probably some
[00:00:19] Marco Ciappelli: Wait. Are you talking about the ingredient of what the shirt was made of or what I am made of? 'cause that, that's kind of
[00:00:25] Sean Martin: it was, I think it was what you were made
[00:00:27] Marco Ciappelli: Oh my God. Okay. I don't want to know that.
[00:00:29] Sean Martin: No, we won't go there. There's plenty, plenty of wine anyway. But, um, no, I think if you, if you do look at the shirt though, um, interestingly enough, you, you might care about what you put on your back and how it feels and if it's leaving any residue.
I like, I used to buy shirts that were. From Hawaii and they were made in the red mud from Hawaii. And I had a, a, an unnatural tan after wearing, wearing those shirts. Granted, they disclosed what were in them, but I didn't care. But the, but the [00:01:00] point is, sometimes you don't know what's in them and you may not see the residue that's being left behind.
And that lack of transparency, uh, can put, put you at risk if, if you're
[00:01:10] Marco Ciappelli: See, see you went with the t-shirts. I would've gone being Italian, I would've gone with food. But,
[00:01:17] Sean Martin: food side, I love
[00:01:18] Marco Ciappelli: but it's still like a, a, a pretty wide approach to cybersecurity, which was where we're talking about here, right? Is that where you're trying to go?
[00:01:26] Sean Martin: people are trying to figure out what the heck I'm talking about. Yes. I think ultimately we're talking about, uh, what is our business made of? And, and sometimes consumers of the business care what the, what the business is made of, especially if they're partners with the business. And, uh, and the only way to know that is through some transparency and visibility into.
Supply chain and all the things that we're using from physical to digital elements and perhaps even partners in the things that make up their, their businesses. So I'm [00:02:00] thrilled to have Theresa Laitz on from Level Blue. Blue again, we're gonna talk about, uh, this topic in, in the context of the futures report the level group puts together every year.
And, uh, Theresa, it's so good to see you.
[00:02:14] Theresa Lanowitz: Hi, Sean. It's great to be here with you and with Marco as well.
[00:02:18] Marco Ciappelli: Yeah. So what do you think about this metaphor? Let's start with that. 'cause I'm
[00:02:21] Theresa Lanowitz: I think it's a really, really interesting metaphor, especially Sean, you were talking about, uh, how you had a shirt dyed with the red dye with the red mud from Hawaii, and you had, um, you know, I'm assuming you probably, you know, sweat a little bit and you know, the, the, the dye transferred to your, to your skin. Um, I would love to see what the ingredients were on the back of Marco's shirt.
[00:02:45] Sean Martin: I think. I think some people want to see that. Yeah,
[00:02:48] Marco Ciappelli: Probably wine and coffee mostly.
[00:02:52] Sean Martin: exactly. I've had other shirts, by the way, that are made from natural ingredients, quote unquote, that were blue and greenish [00:03:00] and left hues of those colors on the skin too. So I think, think I need to change my selection of shirt. Uh. But, uh, nonetheless, um, decisions need to be made. Sometimes you care, sometimes you don't.
As a business, uh, oftentimes we don't have the luxury of not caring. We're told we have to care either by a government entity or our customers or our partners. And, uh. Yes, we're gonna get into what that looks like. 'cause it, it can be pretty challenging and I know the US government's trying to help with some of that, with the CMMC and, and I think Europe has a probably a better handle on transparency and visibility in this space.
But, um, doesn't mean it's easy just 'cause people are thinking about it. Um, but Theresa, we're. Quickly. For those who haven't met you, let's in have a quick moment to share a few words about who you are, what you're up to at Level Blue these days, and then, uh, we'll get into the futures report and a nice overview of that as well.
[00:03:55] Theresa Lanowitz: Absolutely. So my name is Theresa Laitz and I'm chief evangelist with Level Blue. [00:04:00] And one of the things that I do at Level Blue is I lead our thought leadership and research program and every year we publish, as you mentioned, the futures report. The futures report is our flagship product, our flagship piece of thought leadership research that comes out every year. And what we do then over the course of the year is we take all of that data that we collect for the futures report and create these. Smaller, more focused types of research reports that you see come out. And also for those of your listeners who may not be familiar with Level Blue, level Blue, our real, our real goal is to simplify cybersecurity. And we're on a mission to be a strategic extension of your team. And we do that in three ways. First, we help you to protect your security investment through managed security services. Number two, we help you to be able to predict your business intelligence through our cybersecurity consulting services.
And number three, we really help you to be able to foster innovation and mitigate risk through our threat [00:05:00] intelligence team.
[00:05:03] Sean Martin: Yeah, and it's a interesting balance between those last two, right? Managing risk and driving innovation. 'cause one potentially could drive the other up. See, the
[00:05:15] Theresa Lanowitz: Right, and that's where everybody wants to go, right? I mean, innovation innovation is key, and speed is key too. That's one of the things that we've seen. Over the past decade since software development tools have become much more accessible, far easier to use, we have great tools throughout the whole software development life cycle, all the way from ideation to requirements to coding, to, uh, managing the pipeline, um, testing along the way, performance testing, functional testing. Uh, security tools are incredible. So everything has gotten. So much better in terms of the tooling that we use. So that's enabled the process to speed up a little bit as well, or actually a lot in most cases.
[00:05:56] Marco Ciappelli: Yeah. So let, let's talk about, and we've talked about this in the [00:06:00] past, a different segment of the research, but in this particular case, we're talking about the supply chain and we're not looking at t-shirts, although, yeah, maybe they're part of that. Uh, why is becoming such a, so important for, of course, everybody to have access to the transparency related to knowing.
Where does software come from and how the company operates, what the security level is, and if there is something in particular that stuck to you in terms of numbers that came out from this report?
[00:06:35] Theresa Lanowitz: Great points, and let me take that in two parts. So first, let's think about why the software supply chain is so important right now. Why is it a topic of conversation? And then I'll give you some startling facts that we. Identified in this piece of research. So if we take a look at the zeitgeist of 2025, we have major US financial corporations calling on their third party software [00:07:00] suppliers to say, let's value security over features.
Over speed to market. So let's make sure that we're leading with this security first mindset. So that's the first thing. The second thing in terms of why the software supply chain is such a topical event is that we're living in the API economy. Nobody is doing all of their own software development on their own.
Everybody is interfacing with an API, whether it be through your banking institutions. Through your day-to-day lives, in terms of retail, in terms of ordering food, ordering groceries, that sort of thing, and even in terms of signing into other sites, signing in through a common e email application that everybody uses or signing in through social media sites that everybody uses.
So we're living in this idea of the API economy to make the transference, the collaboration of information and data so much easier. And then the third big thing is I mentioned that nobody is building software all on their own [00:08:00] because you think about where you're getting your software that is running your business, some of it you may be getting snippets of code from open source repositories, you. You may be working with a trusted third party advisor that you've worked with for years inside of your organization and they're developing software for you. you. may be getting some, some bit of software commercial off the shelf software that you use and you integrate with that commercial off the shelf software. You're probably also developing some of your own software. There may be legacy code that you're bringing in or new source code that you're bringing in. So, and you're bringing in this software from all of these different places. Then, you know, Marco, you alluded to it. We have these government regulations that are coming about saying, Hey, we need to know what your software supply chain looks like. We want a software bill of materials, meaning we want an inventory of. All of those software artifacts that you're using that we then are using in our software supply chain. And then [00:09:00] you, you take a look at that and there's just this global awareness. We've seen some high profile attacks over the past couple, three months, most notably in the retail industry moving into transportation industry and hospitality industry.
So we've seen all of these different types of attacks and everything has just. Come to the point now where software is the last mile, that fast-paced development, that fast-paced business world, you wanna make sure that your software is ready to be able to go and be used by any of your partners, and also to run your business, but you also wanna make sure that it is secure. So then you take a look at that and you say, wow, you know, I have all of this stuff coming from all of these different places. There are so many people, so many entities, including AI generated type of software that we might be pulling into our, into our applications that we're building as well. So we have all of this co software coming [00:10:00] from disparate places, touched by so many in-person developers, as well as AI type of developers as well. You say, well, how do I really get a handle on this? I have to have some visibility into what's going on. And this is the second part of the question that you asked Marco. What were some of the startling numbers that we found? We found that 80% of organizations with low visibility into their software supply chain, meaning. They don't have that codified inventory or list of software components that's running all of their software. They don't know where that software came from. They don't know if it's come from open source. They don't know if it's come from something that's been internally developed. But 80% of organizations with low visibility into their software supply chain experienced a breach in the past 12 months. And then we take a look at the flip side of that, and if you have. Low visibility, [00:11:00] 80% had low visibility and they had breaches in the past 12 months. What we also found out is that 6% of organizations said they had. High visibility, and they only 6% had a breach in the past 12 months. So you're far more likely to experience a breach if you have low visibility in your software supply chain than if you have high visibility. So 80% of organizations with low visibility. Had a breach in the past 12 months, 6% of organizations with high visibility had a breach. So the higher your visibility, the less likely you are to have a breach. And that translates into the business use case of we wanna keep our systems operational because software runs the business.
[00:11:46] Marco Ciappelli: So it is a direct, uh, business, um, let's say business risk reducer in a way.
[00:11:54] Theresa Lanowitz: Absolutely. It
[00:11:55] Marco Ciappelli: correlation is that simple. Yeah.
[00:11:58] Theresa Lanowitz: Yeah. Yeah. [00:12:00] It is that simple, and that's the very first thing we talk about in this bit of research is if you have low visibility, you're far more likely to experience a breach. We also go into a lot more detail talking about, you know, the lower your visibility is. The riskier things such as open source software become, uh, unsupported software legacy systems. The riskier that becomes, so, the higher your visibility, the more you know what's going on inside of your software supply chain, the better off you are. That also translates to you then, as the owner of that software supply chain, you have to go out and work with your third party providers and say, what are your security protocols?
What? What are your security credentials? You can't just say, oh, this is a trusted third party provider that we've been working with, and of course their software is secure. You never know where a vulnerability may exist, so you have to know your vulnerabilities. You have to be able to understand. Where those vulnerabilities live [00:13:00] inside of that software that you're bringing in to run your business.
[00:13:04] Sean Martin: Yeah. Visibility patches have been a thing forever, right? Vis visibility and awareness of. What the weaknesses are. It doesn't mean you're going to close all those holes and plug all those gaps and, and patch all those vulnerabilities. It, it could also mean that you mitigate around or find other mitigating controls in, in ways to reduce that risk.
Um, either change a partner or change how they connect or change the types of data. Amounts of data. And I'm, as I'm talking about this, I'm thinking I. Uh, within the business. So a lot of what we talk about in ITSP magazine is security, obviously with technology underneath it all, um, which says CSO and CTO or CIO, um, but who owns supply chain visibility [00:14:00] and security?
'cause I, I think the report, the report found something that I, a role that I didn't even mention yet as the, the highest awareness of this problem.
[00:14:10] Theresa Lanowitz: Yeah, So let's.
start there. That's an actually a very intriguing point that you bring up because I was really surprised when the data came back as well. The CEO. Has the best visibility and understanding of the software supply chain and the risk that it brings, and you kind of have to scratch your head and say, why in the world would the CEO be far more attuned to what's going on with the software supply chain? Far more so than the CIO who manages the business of software inside of an organization. Far more so than other C-level executives inside of an organization. The CEO has the greatest awareness of the risk of the software supply chain, and if you look at the role of the CEO, the CEO has [00:15:00] a broader view into the overall risk that is going on inside of the organization. Because many of the things that you just mentioned, Sean, such as. Being able to mitigate around some of the vulnerabilities that may exist in source code or being able to change the way data structures are used or how data's stored, that sort of thing. Those come down to technical aspects and there are other risk factors involved, uh, in, in a business aside from its software.
So the CEO has. Really great broad understanding of what's going on with risk. What is the risk appetite? What can they afford to say, you know, if something happens, here's what it's going to do to our brand reputation, to our stock price, to the way our shareholders perceive us. That sort of thing. So the CEO. Is, is a player, I don't think anybody would've expected to say who has the best visibility of the software supply chain? It's, it's the CEO. Not saying that the CEO is sitting there saying, okay, I know this [00:16:00] piece of software came from open source. I know this was AI generated, but the CEO understands the implication of the risk of the software supply chain.
[00:16:10] Marco Ciappelli: I'm gonna make a point here because I, I always think about cybersecurity as a culture and not, not a code, right? It's, it kinda make me think because of this large overview, the repercussion on the brand, the repercussion with the partners and, and the customers. I think we, we just go there like the understanding of the complexity of what you have in front.
It gives you that kind of different approach to how you look at things, and you don't need to know what is in the code, but you do know that that's a risky behavior.
[00:16:46] Theresa Lanowitz: Absolutely correct. You don't know. You don't need to know what is in the code from the technical side of things. But from the cultural side of things, you understand where the risky behaviors might be. And you bring up such a great point about [00:17:00] cybersecurity being a culture, and this is one of the things that we uncovered in our futures report, our flagship research that we published earlier this year. One of the things we uncovered is that the more. Organizations. The, the, the organizations that we see that have better alignment between the cybersecurity team and the line of business, they are far less likely to suffer breaches. They're able to budget earlier in a cycle of a new project for cybersecurity because they're building cybersecurity in at the beginning. And this is one of the things that we're seeing. Organizations, especially in a financial services call for saying you need to build security. And from the beginning it's not an afterthought. You can't wait until you suffer a breach to start to think about cybersecurity. So the more you're aligned, the more the cybersecurity team is aligned with a line of business, the better communication the cybersecurity team has and understands the critical few objectives of the business every year.
They know [00:18:00] what the business is prioritizing. Whereas if the cybersecurity team is not aligned with the line of business, the cybersecurity team may say, well, you know, let's think about implementing these controls this year. Or let's think about, you know, cleaning up some practices maybe over in this other area and there's no alignment with the line of business and also where the innovation is occurring. So aligning with the line of business is one of the things that we see is. Extremely critical and to have that cybersecurity culture built throughout the organization. One of the things we learned in our futures report research is that organizations who say. All leadership roles have a cybersecurity responsibility with attached KPIs and metrics. That doesn't matter if you are in the finance team, the HR team on the product side, on the marketing side, you have a responsibility for cybersecurity within your domain and the types of organizations who say, [00:19:00] yes, we can actually. Assign some metrics to that and make sure that everybody understands they're responsible for cybersecurity.
Goes back to your point, Marco, of the culture of cybersecurity coming into an organization. So that plays out exceptionally well.
[00:19:15] Sean Martin: I I'm gonna throw you a doozy here, Theresa, because that's what I like to do. Um, so I'm, I'm gonna connect the, the, the point on, uh, everything is, it's an API economy. Um, there's a lot of open source, and even if you think you're using a trusted third party, chances are they're using API services and open source as well.
So it, it continues down the chain. Um, and. I think when I look back over time, the build by partner, um, decision has gone from big monolithic projects down to we need this feature or we need this small agent, or we need this, this, uh, webpage that has this functionality on it now. And [00:20:00] each of those is now a build by partner.
Can we, can we find a piece of software? Can we leverage an API, can we use reuse some other code that we have? Do we just grab something from GitHub and. And I think when organizations are building these things, the, the ones with more resources perhaps take more time to find more secure options, more resilient options, if I wanna say that.
And maybe some other, other organizations, perhaps even another region, because I think the report speaks to, um, uh, where was it? The APAC and Latin America regions perhaps, um, build software differently and therefore use. More open source and other services to build the solutions that they're, that they're pulling together.
So I guess the, the, with all that said, the question to you is how does a maturity or size of an organization, if you have any insights into that change the way they look at this problem, change the way that they tackle, mitigating some of this risk.
[00:20:57] Theresa Lanowitz: Really, really interesting point because what you started [00:21:00] to really kind of go down the path of there is. We're not just talking about third party, we're talking about fourth party or the nth party. So as you said, I'm working with a trusted provider that I've been working with for years, but they're also going out and getting some of their source code through open source repositories, or maybe they're contracting with somebody else to write some snippets of code, that sort of thing. So it's not just third party, it goes to the fourth party, fifth party, and so on, all the way down the supply chain. So looking at that end party. What we also found out looking at regional differences, and this is highlighted exceptionally well inside of our research, we broke the the regions out by North America, Europe, Latin America, and apac. And what we found is that across the world, and this is one of the things that's quite shocking, is that across the world, software supply chain has very low visibility. So it's something that every region of the world can actually. Take [00:22:00] advantage of and say, we need to be better on the software supply chain.
We need to really start working with our third party suppliers, understanding what's in our source code, that sort of thing. And then what we also found out is that across the world, all. A a across the world, globally, people were saying, yes, we're, it's highly likely that we're going to have an attack on our software supply chain. And then they say, yes, we're investing in it. But the thing that really struck me as odd is they say, you know, we have low visibility. We know we're likely to be attacked through our software supply chain. We're investing in software supply chain security. However, we're not working with our third party suppliers. And that just strikes me as odd in terms of they're saying, yes, we're going to invest in it, but we haven't really begun to examine the security credentials of our third party suppliers and their suppliers throughout that whole software supply chain. And that's [00:23:00] a global. Phenomenon and there are some regions that are doing a little bit better, but across the board that's kind of the story that plays out with the data that we collected around this whole idea of the software supply chain and, and the readiness across different regions of the world.
[00:23:15] Marco Ciappelli: Is there a a financial reason why they are not moving in that direction? Even if they do know that that's one of the reason why they get breached and cybersecurity risk.
[00:23:29] Theresa Lanowitz: I think one of the things that we see is, so they know that their visibility is low. And you know, you all, you both come from a development background. You know, the idea of building software is tremendously difficult. And so the software developers are saying, yes, we know we have to do better on this. The people that own the software are saying, we know we have to do better on this. It just hasn't really been a priority. So what we see happening now is we have this perfect [00:24:00] moment because the C, the CEO, the top person in the organization has awareness of the criticality of the software supply chain. And what we're also seeing is that we've seen recent cyber adversarial gangs really executing. Against the software supply chain, getting into organizations, through social engineering tactics, and then attacking the software supply chain. We've seen a lot of attacks like that in 2025. So there's this perfect moment now for organizations to really. Rally around this need to secure the software supply chain because the CEO is saying, yes, I understand this as a risk, and we see these attacks coming. So to be proactive and to be able to defend your organization against software supply chain attacks, the investment is happening. You know, around the world people are saying, yes, the investment is happening, but they haven't necessarily figured out the right way to go out. And this is at a large scale, they haven't [00:25:00] necessarily figured out the right way to go out and figure out through their third party suppliers and their fourth party suppliers and so on, what the software credentials are, how organizations are really making sure that inside their own organization, those third party suppliers are building with a security first mindset.
And this is the opportunity that's out there for, for companies of every type right now.
[00:25:23] Marco Ciappelli: And I may be wrong, but I'm thinking also technology is probably helping more. Out ai uh, datas in general and, and information sharing. 'cause if you, if one company look into one supplier, then, and there is information sharing, that supplier is kind of vetted for other companies as well. So it's almost like it needs to reach that tipping point that maybe that's why now you say it's the right time to, to do it.
[00:25:52] Theresa Lanowitz: Yes, it's, it's the ability to be able to assign confidence to that particular supplier, but also some of the technology that [00:26:00] organizations are investing in. When they say they wanna do better in the software supply chain, they're looking at. More, um, threat detection and response. They're looking at exposure management, making sure that they're understanding where their vulnerabilities are in their source code. So that comes back to this idea of good software engineering practices, and I think one of the things we've seen over the past decade. Decade and a half is that we have defined speed to market being the quintessential event that we have to create every time we have new software coming out. Speed to market.
Speed to market, because we can always go back and fix it. It's software. But now because the adversaries are so determined, we're saying, you know, we need to lead with a security first mindset. So I think we're, you know, as I said, we're kind of at this, this. Perfect point right now where the CEOs are exceptionally aware of this. The software tooling is so good. [00:27:00] Um, third party suppliers are willing to work with, with the, the customers that they have. And there's, there, there's a lot more in terms of, you know, popular APIs that organizations are running. Um, so those companies that are selling the APIs, that are providing the APIs that are common, they have a higher standard I think that they're going to be held to as well.
[00:27:24] Sean Martin: So the, the CEO's aware. There's some investment, I guess, suggesting that CIOs and CISOs are trying to figure out how to answer the CEO's questions around this and, and, and in there there's some gap, right? We know there's risk. We, we need to figure out how to define, describe it and quantify it for the CEO.
And I think that there may be a few gaps you might wanna highlight and also perhaps. Now's a good time to point out that you, you, in the report, you offer some guidance, uh, for, for how to take [00:28:00] some steps to, to tackle this problem. I
[00:28:03] Theresa Lanowitz: Right. We
[00:28:03] Sean Martin: that you wanna highlight there, but, or I'll just leave it open for you to maybe kind of share some thoughts on how to, how to achieve what the C is asking.
[00:28:13] Theresa Lanowitz: Uh,
and that is a, a perfect, uh, sort of segue into how do we really recommend at the end of our research, how do we recommend that your software supply chain becomes. More secure and you have more visibility into it. So take advantage, and this is, you know, the cybersecurity teams out there, the software development teams out there take advantage of the fact that the CEO understands the state of the software supply chain, understands that the software supply chain is a risk.
So that's number one. Take advantage of the fact that the CEO understands this. Number two is. Know where your vulnerabilities are, and software is never going to be perfect. We know the vulnerabilities are going to continue to exist. Defects in software are going to continue to exist, but know where those vulnerabilities [00:29:00] are and attach those to risks so you can understand. Which vulnerabilities you need to remediate right away versus which you can say, you know, we can work around those. So, and then the third thing is really invest in this new modern types of tech technology, threat detection and response exposure management. Making sure that you have those technologies within your toolkit to be able to use effectively. And if you can't do those things yourself, work with a managed security service provider to be able to do, manage threat detection and response. Manage your uh exposures, understand where your vulnerabilities exist and through this technology. And then the fourth thing is to really work with those third party suppliers that you're using. Make sure you're requesting. Verification and validation of their security credentials that they're using inside of their own software development. Understand where they're getting their source code from. Are they [00:30:00] developing everything on their own or are they going out and using yet again a third party, which becomes a fourth party to you? So those four things will really help you to be able to manage that software supply chain a little bit more effectively, give you some better insight, some better exposure to what's going on inside of your software supply chain, and deliver better business outcomes.
[00:30:23] Sean Martin: On that last point, Theresa, on the business outcomes, 'cause I, I'm sure the team at Level Blue is. Having conversations with many CEOs across many different sectors and many parts of the world are, is there a story perhaps you can share where, um, an organization really took charge and took, uh, a handle of this scenario of supply chain risk management and security and
[00:30:50] Theresa Lanowitz: and the supply chain feeds into, Yeah.
the, the supply chain feeds into everything you do. And as I mentioned at the beginning level blue, we provide managed security services, [00:31:00] consulting services, as well as threat intelligence. And I, I can't name names, but we did have. One of our clients who, they were super smart cybersecurity people and they kept saying to their leadership, to their C-Suite, we need to do a little bit better.
We wanna, we're only two people. We're running everything. What happens if, you know, one of us is gone? What happens on the weekends? We need to make sure that our, our. Uh, our, our business is really much better protected. You know, we we're running all these different pieces of software. An adversary can come in any way they may, and sure enough, um, it, it felt, you know, the, the C-Suite said, you guys are doing tremendous job. You know, it's not in the budget right now. Just keep on doing what you're doing. We've been safe so far, and sure enough, it was a long holiday weekend and the. Two people who ran the cybersecurity team. They were out for the long weekend. They [00:32:00] went home on a Friday night. Everything was secure. And you know, their, their. Their network was only being guarded Monday through Friday, nine to five or eight to five when they were there. Weekends, after hours, it wasn't being guarded. And the adversaries know this. The adversaries are also looking for any type of hole that they can come into. Uh, known vulnerabilities that exist in open source software, commercial off the shelf software. The cyber adversary is looking for a way in to be able to live inside of your network, move laterally, take whatever they want. So. Uh, they come in after being gone for a long weekend. They were off Saturday, Sunday, Monday. They come in on Tuesday morning, and sure enough, they have found out that they have been a victim of ransomware. So at that point, cybersecurity moved from being a technical issue to being a business requirement, and they were able to then say, Hey, you know, we can bring in a managed security service. Company to help us manage and monitor 24 [00:33:00] 7 365. We're never going to have any downtime when there's not somebody managing and monitoring what's going on. When there is some activity, when it looks as though some sort sort of adversary maybe coming into attack us, we're going to know, because we're using Level Blue to be able to manage this 24 7, 365. So, and, and it's, it's unfortunate that in many cases, you know, an incident such as that has to happen. But that's goes back to the point that Marco made earlier, that cybersecurity is a culture.
Cybersecurity is a business requirement. It's not a technical problem. It's a business requirement that everybody has to be a part of.
[00:33:42] Marco Ciappelli: And I, I wanna add to that as a, as a, my closing point is that maybe it's also a societal wake up call because as it goes from technical to the business, it also goes to society. I mean, we're looking at, uh, infrastructure, we're looking at medical, uh, you know, [00:34:00] pandemic. We wanna go there. We the food.
T-shirt that Sean was wearing that, you know, normal shouldn't be wearing. But again, it's, if you know where it comes from, then it, it can help prevent problem, not just in cybersecurity. So maybe on this we can kind of lead to, to have a different culture or societal level as we are interacting with every part of the world.
And there is no, you know, borders anymore when it comes to this kind of thing.
[00:34:31] Theresa Lanowitz: Right.
And you talk about ingredients. You know, you talk about the ingredients of Sean's t-shirt, you talk about the ingredients of food. This is why the SBO m, the software bill of materials, is so critically important for organizations to understand that codified list or inventory. Of every piece of software, all the artifacts that you are using to make up that application or that system that you're building.
[00:34:55] Sean Martin: Yeah, and I'm, I'm inspired that the, uh, the CEO. As an [00:35:00] understanding here of, of a very, very technical element that clearly they, they recognize has a direct impact on the operational and business element. So I'm,
[00:35:09] Theresa Lanowitz: You're, and you're right, it's a technical element, but it is, it is a business element.
It's, it's business critical.
[00:35:14] Sean Martin: Yep. Absolutely. Well, Theresa, it's always. A fantastic chat with you, always in insightful, and, uh, a lot of good advice here for organizations.
I, I encourage everybody to read the Data Accelerator software, software supply chain and cybersecurity report. Uh, part of the larger, uh, futures report series that Level Blue puts together every year. Uh, we've had conversations about other sectors and other, other bits and pieces of the report as well as the full report.
And appreciate you sharing these stories with us and. And Theresa, it's always good. Thank you so much
[00:35:49] Theresa Lanowitz: Thanks so much, John. Thanks, Marco.
[00:35:51] Marco Ciappelli: you.
[00:35:52] Sean Martin: and everybody do stay tuned, uh, for more brand stories here and, uh, be sure to connect with Theresa and the Level Blue [00:36:00] team. We'll include links to the data air accelerator we spoke to, uh, today and, and the level Blue, uh, futures report as well. And. Of course, you can check out the directory for Level Blue on ITSP magazine for more conversations and more assets and resources, and we'll see everybody on the next one.