Strongest link: Operational resilience and your supply chain

Operational resilience and your supply chain

From geopolitical tension to hidden third-party dependencies, operational resilience is being redefined.

Operational resilience is no longer just about IT uptime. In 2025, organisations face growing threats from cyberattacks, supply chain disruptions, and geopolitical instability. All of which expose new vulnerabilities across global vendor networks. In this environment, supply chains have emerged as both an operational lifeline and a strategic vulnerability.

In a recent Food for Thought breakfast, in partnership with Risk Ledger, senior technology and security leaders from across industries—insurance, media, transport, banking, and beyond—gathered to explore the growing convergence between cyber resilience, regulatory pressure, supply chain exposure, and reputation risk. What emerged was a powerful narrative: that resilience must be reframed, not as a function of IT, but as a shared responsibility across the business, which the IT function can and should prioritise as a first amongst equals.

Operational resilience: Overview

• Third-and fourth-party risk: What you can't see can hurt you
• The rise of geopolitical supply chain threats
• How collaboration improves supply chain security
• Closing thoughts

Third- and fourth-party risk: What you can’t see can hurt you

Digital ecosystems are now defined by interdependence. Almost every organisation today relies on an extended mesh of SaaS platforms, outsourced development, global logistics, and data services. And while these relationships bring speed and scale, they also diffuse control.

As one CIO put it, “We don’t just outsource IT—we outsource resilience.”

The discussion highlighted that few businesses truly understand the depth of their dependencies. “We were onboarding a vendor that looked completely solid,” shared one executive. “But we didn’t know they used a Spanish sub-processor—when there was a power outage in Spain, our onboarding ground to a halt. That was a fourth-party we hadn’t even mapped.” (Spain, Portugal and a portion of France suffered one of the worst disruptions to its power and electricity supply in decades in early 2025.)

This kind of ‘unknown unknown’ is now standard. A Siemens product, for example, might contain components from a third-party in China that were not visible in procurement documentation. “Even if they say they have controls in place, what level of controls?” one participant asked. “And what happens when that supplier quietly swaps a subcomponent between contract signing and delivery?”

Across the room, there was consensus: perfect visibility is not possible—if it ever was—but meaningful prioritisation is. Several leaders described using a risk-based framework to assess suppliers not just on criticality or spend, but on data sensitivity and system access.

“We look at three things,” one CISO shared: “what data they handle, what service they provide, and what connectivity they have to our environment.”

This “triangular lens” enables a smarter response; treating a flower vendor very differently from a payments processor. But the panel also warned that this kind of thinking must be continuously refreshed. “By the time you finish auditing your top-tier suppliers, the list has changed,” one executive quipped. “You’ve got to start again.”

And when the Log4j vulnerability surfaced, the importance of that cycle was thrown into sharp relief. “We had to escalate all the way to SAP's executive team to get an answer,” said one participant. “It taught us that your usual sales contact can’t help in an incident—you need direct lines to security people, not account managers.”

The rise of geopolitical supply chain threats

Increasingly, supply chain risk is geopolitical. Several speakers discussed how the country of manufacture, ownership structures, and even board-level affiliations of vendors are becoming central to risk assessment.

“We’re now asking questions like: who really owns this company? Are there sovereign wealth fund links? Where are the chips made? Can you assure me the design hasn’t been tampered with?”

Others warned of national security lessons coming to the private sector. “Supply chain compromise has been a strategic tool for nation states for decades,” said one former government cyber lead. “Now it's the private sector’s problem too.”

This means that resilience planning must go beyond incident response checklists. As many leaders noted, it is about ensuring business continuity despite inevitable breaches.

“If we’re going to assume breach—which we now do—then the next step is ensuring our critical services remain operational. That’s resilience.”

That mindset shift has influenced everything from cyber insurance policies to how board conversations are framed. “I never go in asking for tech [sic] budget,” one CISO shared. “I go in talking about risk. I talk about the business impact, the reputational hit, the client trust—and the board listens.”

Reputation was a recurring theme. “Especially in health insurance, trust is everything. If our name ends up in a headline breach, the damage is exponential.”

How collaboration improves supply chain security

While threat intelligence sharing has matured largely thanks to ISACs and national initiatives like the NCSC, there remains a stark gap in supply chain collaboration.

“We're all doing the same audits on the same vendors,” one speaker observed. “Why aren’t we pooling that effort?”

Attempts have been made. Banks explored a shared supplier assessment utility years ago. One group tried to make SWIFT a neutral host for shared insights. But those efforts faltered—bogged down by trust issues, competitive anxiety, and governance challenges. There’s cautious optimism today. “If 80 percent of a sector tells a vendor to fix their MFA, they’ll do it,” said one attendee. “One customer can be ignored. A community can’t.”

This candidness spooled out into a deeper reflection on people. Burnout, trauma, and emotional fatigue are now core risks in themselves.

“You wouldn't laugh at a neighbour who got burgled,” said one CISO. “But in cyber, we still have this ‘blame the breached’ mindset. It's toxic.”

There were stories of leaders working every weekend for months during cloud migrations, or staying up 72 hours straight during ransomware events. "And still the board says, 'Can I speak to you directly?' even if you've handed off to your deputy, which itself was a pre-agreed procedure."

This is not just unfair—it is unsustainable. Participants called for better shift planning, resilience training, and support for leadership itself. “We invest in our technology teams, but not in our tech leaders. Who’s preparing them to lead through chaos?”

Closing thoughts

The roundtable ended not with alarmism, but with realism and resolve. Here are six key takeaways for HotTopics’ C-suite communities in 2025:

1. Treat third-party risk as a board-level concern, not just a procurement function.
   
   
2. Invest in supply chain visibility—not to eliminate risk, but to understand it.
   
   
3. Push for collaborative security, both internally and industry-wide.
   
   
4. Frame resilience in business terms—reputation, regulation, continuity—not just technical controls.
   
   
5. Support your people. Build plans that prioritise leadership continuity, team wellbeing, and human resilience.
   
   
6. Lead the culture shift. Security is no longer about locking doors—it’s about building trust and accountability into everything your business does.
   
   

As one executive concluded, “The attackers are collaborating. If we don’t, we’ve already lost.”