A strategic perspective on cyber resilience, AI-driven risk, and software supply chain accountability shaping enterprise security decisions.
Theresa, with your extensive background in cybersecurity and your current role at LevelBlue, how has your perspective evolved on what true resilience looks like in the modern enterprise tech environment?
Over the past few years, my perspective on resilience has evolved from focusing primarily on digital transformation to recognizing the need for continuous operational readiness in an increasingly complex threat landscape. The attack surface has expanded dramatically—with more connected devices, distributed environments, and reliance on third parties—making resilience less about a one-time initiative and more about a business imperative. True resilience today means anticipating disruption, rapidly adapting, and maintaining business continuity.
The Data Accelerator highlights a sharp contrast in breach rates between organizations with high and low software supply chain visibility. What’s preventing more organizations from achieving that high level of transparency?
Our research found that only 23% of organizations are confident that they have very high visibility of their software supply chain. The challenge stems from the complexity of today’s development ecosystems. The average software supply chain now contains artifacts from open-source repositories, internally developed code, software developed by third parties, and commercial-off-the-shelf (COTS) software. All of this combines to run a business, and monitoring it all is no small task. Many organizations lack a clear understanding of their software ecosystem, which makes it difficult to assess risks due to a lack of visibility across suppliers and complex third-party development pipelines.
The report shows that C-suite attention on cybersecurity is rising. How is this executive awareness translating into action—or in some cases, failing to?
Executive awareness is definitely increasing, driven by high-profile incidents that show how quickly business operations can grind to a halt when a software supply chain is compromised. In our research, 68% of organizations said media coverage has moved cybersecurity higher on the C-suite agenda. 40% of CEOs now view software supply chain threats as their most significant cybersecurity risk—more than any other C-suite role. This is a positive shift: software risk is no longer siloed in IT but is a business-critical priority tied to revenue, reputation, and compliance.
With CEOs already tuned in, cybersecurity teams secure budgets, align on priorities, and integrate supply chain risk into enterprise risk strategies.
AI adoption is clearly expanding the attack surface. How do you see this intersecting with software supply chain risk in ways that leaders may not be fully accounting for?
AI can amplify existing risks and introduce entirely new ones. We’re already seeing AI used to accelerate malicious activity from generating sophisticated, harder-to-detect code to creating convincing deepfakes for fraud schemes. The recent release of open-source large language models (LLMs) that are cheaper, more efficient, and easier to deploy is a double-edged sword. While they open exciting opportunities for innovation, they also make advanced capabilities accessible to threat actors. This means vulnerabilities can be exploited faster and at a greater scale in the software supply chain. Leaders may not yet fully account for how AI-driven attacks can infiltrate suppliers, manipulate code, or bypass traditional detection methods. As AI tools develop, supply chain defenses need to adapt just as quickly, integrating advanced threat detection and continuous monitoring.
Why is there still such a gap between perceived risk from third-party software and the actual steps companies are taking to engage suppliers on their security posture?
Software supply chains are interconnected ecosystems that create challenges when it comes to cybersecurity. While organizations recognize the dangers that come with open-source and third-party software, only a quarter of organizations say engaging with software suppliers is a priority for the next year. This disconnect often comes down to a lack of visibility across suppliers and complex third-party development pipelines, making it difficult to assess the risks. Organizations struggle to identify key drivers for improving their software supply chain visibility, often due to a lack of awareness of today’s specific threats or a failure to implement solid software lifecycle engineering practices.
The geographical differences in readiness and investment are striking. What lessons can global organizations take from Europe’s higher investment versus its low supplier engagement rate?
European organizations are investing far more in software supply chain security than organizations in the US and APAC. According to our data, 67% are making moderate or significant investments, even though 51% describe themselves as “prepared” for an attack. Lessons other organizations can take are that investment is necessary, and security must be built into the business, not bolted on. Without active collaboration with suppliers, even well-funded organizations leave gaps. The most resilient organizations combine robust internal defenses with clear supplier requirements, regular assessments, and shared accountability for security outcomes. Assigning cybersecurity KPIs across business functions and extending those expectations into supplier contracts can bridge the gap.
Unsupported and legacy software is a recurring concern. What’s your take on why this remains a persistent blind spot, even for mature organizations?
For many businesses, updating legacy software is costly, time-consuming, and operationally disruptive. In many cases, these systems are deeply embedded in business processes, making leaders hesitant to retire them. Even when companies recognize the risk, they often struggle with accountability. Convenience and continuity often win out over security. Traditional patching strategies can’t address the deeper vulnerabilities in unsupported systems. To close this gap, organizations require continuous exposure management and patching as needed. This involves developing a phased migration plan that includes a hierarchy of systems to update and a timeline for each.
Custom code, APIs, and commercial software are flagged as risky by many. What’s the most pragmatic way for organizations to gain insight into these layers without slowing innovation?
Engaging with software suppliers about their security credentials needs to be a priority. Security must extend beyond internal systems. This means requiring transparency from vendors and partners about security practices, use of open-source, and development standards. It also means adopting tools for code scanning, dependency tracking, and API monitoring that run continuously in the background. Cross-functional risk assessments can help identify the most vulnerable areas in your supplier and development pipelines. By embedding security checks into the workflow, organizations can strengthen oversight without slowing down innovation.
From your experience, what separates companies that operationalize insights like those in the Data Accelerator from those that simply read the report and move on?
The difference comes down to action, accountability, and integration. Organizations that operationalize insights don’t just acknowledge the data; they use it to set measurable goals, assign ownership, and align cyber resilience considerations with business decisions at the highest level.
Looking ahead, what role will evangelism and education play in helping business and technical leaders close the visibility gap in their software ecosystems?
Evangelism and education will be critical to narrowing the visibility gap, making risks tangible, connecting them to business outcomes, and fostering a culture where security is a shared responsibility. Over time, sustained education will help leaders move from reactive compliance to proactive cyber resilience, making visibility a competitive advantage rather than a compliance checkbox.
- A quote or advice from the author
“In an era of increasing AI disruption and evolving threats from nation-states and cybercriminal groups, the ability to withstand and recover from cyberattacks is directly tied to a clear understanding of an organization’s software ecosystem. Software supply chain risk is not just an IT issue but a business imperative. Organizations that embed cybersecurity KPIs across all business functions experience fewer breaches and stronger recovery.”
Theresa Lanowitz
Chief Evangelist at LevelBlue
Theresa Lanowitz is the Chief Evangelist at LevelBlue, formerly AT&T Cybersecurity. Prior to LevelBlue and AT&T, Theresa was an industry analyst with firms voke and Gartner. At Gartner, Theresa led the app quality ecosystem, championed app security, and created the AppDev conference. As product manager at Borland, she launched the iconic Java IDE, JBuilder. At Sun Microsystems, she led strategic marketing for Jini – a precursor to IoT. Theresa’s career began with McDonnell Douglas, where she was a software developer on the C-17 transport plane and held a US DoD Top Secret security clearance. Theresa holds a Bachelor of Science in Computer Science from the University of Pittsburgh, Pittsburgh, PA.
Explore AITechPark for the latest advancements in AI, IOT, Cybersecurity, AITech News, and insightful updates from industry experts!