We speak to Justin Kuruvilla, Cybersecurity Strategist at Risk Ledger, about the evolution of cyber threats across global supplier ecosystems, the decreasing significance of third-party risk management, and why continuous visibility, collaboration, and automation are now critical to reducing duplication.
Justin Kuruvilla, Chief Cybersecurity Strategist at Risk Ledger, has had an extensive career in cybersecurity.
Before joining Risk Ledger, he supported the US government in cybersecurity and worked as Technical Director for cybersecurity operations at the US Department of Defense (DoD), which included a secondment to the UK National Cybersecurity Centre.
Most recently, Kuruvilla advised senior executives of top global corporations and investment firms on enhancing their management of cyber risk.
Equipped with extensive experience and expertise, Kuruvilla offers his informed perspective on the importance of cybersecurity across global supply chains.
Firstly, how have cyber threats developed within supply chains over the last decade?
Justin Kuruvilla, Chief Cybersecurity Strategist (JK): 10 years ago, many organisations focused their cybersecurity efforts on protecting their own perimeter.
Today, businesses are becoming more dependent on a complex ecosystem of cloud infrastructure, software-as-a-service (SaaS) vendors, and artificial intelligence (AI)-driven solutions that make critical business services increasingly dependent on supply chains that extend to multiple tiers.
Since successful attacks provide actors with an incredible return on investment, attackers have recognised this shift and the value of targeting the supply chain.
Exploiting one shared dependency can provide access to numerous victims, whilst taking advantage of trusted relationships within the supply chain can be a more effective route into a well-defended organisation than attacking them directly.
Why is traditional third-party risk management (TPRM) no longer fit for purpose?
JK: Traditional TPRM is no longer fit for purpose – and the term itself explains why: managing third parties is no longer enough. Organisations’ risk exposure does not stop at the third party; it extends across the entire supply chain ecosystem.
In a practical sense, rigid, point-in-time spreadsheets lack the ability to help organisations understand the dynamic and constantly evolving risks that exist at the fourth party, fifth party, and beyond.
A supplier may itself depend on numerous subcontractors and other vendors to deliver their service to clients, making supply chain ecosystems more complex, interconnected, and harder to oversee.
Currently, very few organisations have visibility beyond their third parties – and that’s a concern.
When working with a new client, what are the most common mistakes you see people making in this area of cyber defence?
JK: One of the most common mistakes is to assume that simply obtaining completed risk assessments from third parties results in robust security and operational resilience.
Whilst these assessments can play an important role in an initial analysis of a supplier’s security posture, they rarely provide a view of the risks that exist across the wider supply chain ecosystem.
This can create blind spots when it comes to operational resilience planning. Too often, organisations fail to properly assess the importance of suppliers further down the supply chain or to understand the role they play in enabling critical business services.
The suppliers that organisations spend the most money on and with which they have direct contracts might not represent the greatest risk factors.
In many cases, smaller and less well-known suppliers can be just as critical – if not more so – because of the access they have, services they support, or dependencies they rely on.
In reality, what does a ‘Defend-as-One’ model look like?
JK: Defend-as-One recognises that no single organisation can gain a complete view of its supply chain risk on its own – every organisation sees a different part of the ecosystem.
One organisation may understand a supplier’s role in delivering a critical service, another may have visibility into that supplier’s subcontractors, and a third may identify emerging risk indicators.
When that intelligence remains isolated, everyone operates with an incomplete picture. True visibility comes through collaboration.
By sharing supply chain intelligence across trusted networks, organisations can build a much fuller picture of the risks they are exposed to and respond to them more effectively.
That is the core principle behind Defend-as-One: a collective defence model that reflects the complexity of the threat landscape we now operate in.
“Defend-as-One recognises that no single organisation can gain a complete view of their supply chain risk on its own – every organisation sees a different part of the ecosystem”
Justin Kuruvilla, Cybersecurity Strategist at Risk Ledger
Visibility is always difficult to maintain through multi-tier supply chains. How do you overcome the cyber risks this poses?
JK: You cannot manage risks you cannot see, so visibility has to come first. But that does not mean trying to map every supplier in the ecosystem. Instead, the priority should be to understand the suppliers and dependencies that support your most important business functions.
With better visibility, organisations can understand their exposure much faster when incidents do occur; they can quickly understand which critical business services may be affected, assess the potential impact, and respond accordingly.
This allows organisations to make faster, more confident decisions when time is of the essence.
How can technology such as that provided by Risk Ledger stay ahead of the bad actors looking for gaps in supply chain cybersecurity?
JK: Bad actors already have a head start when it comes to finding security gaps in organisations’ supply chains. They are constantly looking for weak points across supplier ecosystems and increasingly using tools such as AI to process information faster, identify potential vulnerabilities more easily, and decide where to focus their attacks.
Technology like Risk Ledger’s helps organisations respond by giving them a much clearer view of the risks across their extended supply chain.
Its network is built on trusted relationships between organisations and suppliers, helping businesses understand not just who they work with, but how those relationships and dependencies could affect their security and resilience.
That insight allows organisations to prioritise their efforts where they will have the greatest impact. Rather than treating every supplier risk in the same way, they can focus on the areas that matter most, reduce risk more effectively, and strengthen operational resilience.
The continuous monitoring element is also critical. Supply chains are constantly evolving, so organisations need to make sure their view of their risk landscape is equally dynamic rather than a point-in-time assessment.
How is it possible to identify the highest-risk suppliers?
JK: The highest-risk suppliers are not always the ones with the weakest security controls. A mature supplier may still represent a significant risk if it supports a critical business service, is difficult to replace, or sits at the centre of a wider ecosystem.
This means organisations need to look beyond traditional security assessments. Compliance with a regulation is important, but it only tells part of the story and doesn’t equate with better security.
To understand real risk, organisations also need to consider how critical a supplier is, how dependent the business is on them, how widely they are used across the ecosystem, and whether there is a realistic alternative if something goes wrong.
This also means challenging some common assumptions – spend does not always equate to criticality. A high-value contract may be important commercially, but a smaller supplier could be far more critical from an operational resilience perspective if they support a core system, hold sensitive access to data, or provide a service that cannot be quickly replaced.
The question is not simply “How secure is this supplier?”, but recognising when, not if, an incident occurs for a supplier what the downstream ramifications would be.
What role does automation play in improving operational resilience?
JK: Automation plays an important role because it allows organisations to identify, analyse, and respond to risk at a scale that manual processes simply cannot match.
Supply chains are large, complex, and constantly changing, so relying on manual reviews alone makes it difficult to keep pace.
In that sense, automation acts as a force multiplier. Organisations with limited resources need to focus their time on where it matters most.
In short, automation makes those limited resources go further, helping security teams identify which risks need to be escalated and discussed with senior leadership and where mitigation should be focused.
This means senior leaders can make more confident decisions, resources can be directed more effectively, and teams can respond faster as risks change.
“Automation plays an important role because it allows organisations to identify, analyse, and respond to risk at a scale that manual processes simply cannot match”
Justin Kuruvilla, Cybersecurity Strategist at Risk Ledger
What are the biggest emerging threats facing the security of supply chains?
JK: One of the biggest emerging threats is concentration risk, particularly around cloud and AI technologies. These tools are being adopted quickly and becoming critical to how many organisations deliver key business services.
The challenge is that these dependencies often sit beyond the immediate third party. An organisation may understand the supplier it works with directly, but not the cloud platform, AI tool, or technology provider the same supplier also depends on.
If one of those underlying services is disrupted, the impact can spread quickly across multiple organisations in the supply chain.
What is the future of this kind of technology?
JK: The future is active supply chain security, which means moving away from one-off supplier security assessments and static assurance processes towards a live view of how risk is changing across the ecosystem in real time.
Supplier relationships shift, new dependencies emerge, and risks can develop quickly, so organisations need technology that can keep pace.
The aim is to make supply chain security more proactive, collaborative, and continuous.
Organisations should be able to understand where risk is building, act before issues become incidents, and share intelligence in the same way they already do with cyber threats.
In the end, this is about giving organisations the visibility and confidence to Defend-as-One.
This article was produced by the editorial team at Supply Chain Outlook and published as part of the Outlook Publishing global network of B2B industry magazines.
Outlook Publishing delivers industry insights, company stories, and sector coverage across supply chains, manufacturing, mining, construction, healthcare, food production, and sustainability.
Supply Chain Outlook provides ongoing coverage of organisations and developments shaping the global logistics and supply chain sector.
