
Article Summary: In this episode of TechTakeByBill, we examine how attackers can compromise your organization without targeting it directly—by turning trusted software, vendors, developers, and automated updates into the attack path. The article continues with the tradition of the “TechTake’Sale’ByBill” perspective, showing technology leaders how to build internal consensus for stronger security without overplaying the risk, exhausting their political capital, or falling into the feature trap. It explains how to use business-impact questions, stakeholder mapping, and executive-level framing to move an organization from awareness to action.
TechTakeByBill: Every professional is in sales.
A Note From Bill: I help executives understand cybersecurity, cloud, and AI in business terms—and, just as importantly, how to build internal support for action. Each article ends with a practical selling perspective shaped by 30-plus years in enterprise technology sales.
If a topic resonates with you, or if your organization is wrestling with how to turn cybersecurity, cloud, or AI strategy into executive alignment and business action, I’d welcome the conversation. You can reach me directly at Bill.Thomas@BespinGlobal.com
- Feel free to read below or,
- Listen to the PodCast version
- Find all my previous articles at www.Bill-Thomas.info
# # #
A FAST-MOVING EXECUTIVE READ
Read straight through for the full argument, scan the FACTOID callouts for essential definitions, or jump to ASK YOUR TEAM for five questions worth bringing into your next leadership meeting.
Article Start: Your company can be breached by software it approved, purchased and trusted—even if no attacker ever targeted your organization directly.
That is what makes software supply-chain attacks so dangerous.
Attackers do not always need to break through your defenses. Sometimes it is easier to compromise a developer, steal a publishing credential or manipulate an automated software-release process.
The malicious code then moves through the same trusted systems your company already uses.
No suspicious attachment. | No obviously malicious website. | No front door attack.
The threat may arrive looking exactly like a normal software update.
FACTOID | WHAT IS THE SOFTWARE SUPPLY CHAIN?
Modern applications are rarely built entirely by one company. They are assembled from open-source libraries, cloud services, plug-ins, APIs, development tools and automated delivery platforms. The software supply chain includes the code, people, systems and processes used to build, test, update and distribute that software.
When Trust Becomes the Attack Path
Recent attacks have shown how effectively criminals can turn trusted software into a delivery mechanism.
Attackers have compromised developer accounts, modified legitimate software packages and published malicious versions through channels that users and automated systems were already conditioned to trust.
In some cases, the objective was to steal cloud credentials, publishing tokens and other valuable access from development environments.
That creates the possibility of a chain reaction.
Compromise one developer. Poison one package. Steal one set of credentials.
Then use that access to compromise another project, customer or cloud environment.
The attacker does not need to breach every victim individually. The software supply chain can distribute the attack for them.
We celebrate automation because it removes friction. Attackers value it for exactly the same reason.
These are not simply stories about bad code. They are stories about trust being used as the attack path.
The Trust You Approve—and the Trust You Never See
When your company purchases software, it evaluates the vendor named on the agreement. But that vendor has its own network of trust.
It trusts its developers and contractors. Its developers trust open-source libraries, coding tools and package repositories. Its engineering teams trust build systems, cloud platforms and automated release processes.
Your organization inherits those relationships the moment it installs the finished product.
You are not trusting only the vendor. You are also trusting the people allowed to change the software, the outside components embedded inside it, the systems used to build it and the credentials used to authorize its release.
Most of those relationships remain invisible until one of them fails.
This is not an argument against open-source software, cloud services or third-party applications. Modern business could not operate without them.
It is an argument against pretending that trust stops with the company whose logo appears on the contract. It does not.
Why the Annual Vendor Review Falls Short
Most mature companies already conduct vendor-risk reviews. They distribute questionnaires, request audit reports and review certifications. Those activities still matter.
But they can also create a dangerous sense of completion.
A questionnaire completed six months ago cannot tell you whether a developer’s credentials were stolen yesterday. An audit may confirm that a vendor has good security policies. It cannot prove that the software delivered this morning has not been manipulated.
A recognized vendor can still be compromised. A legitimate package can still receive a malicious update. A digitally signed release can still be published using stolen credentials.
- The TRADITIONAL VENDOR REVIEW Question - Is this supplier generally capable of operating securely?
- The SOFTWARE SUPPLY-CHAIN SECURITY Question - Can we verify that the software being delivered remains trustworthy today?
That is the gap business leaders need to understand.
FACTOID | WHAT AN SBOM CAN—AND CANNOT—TELL YOU
A Software Bill of Materials, or SBOM, is an inventory of the components used inside an application. It can help determine whether an organization uses a newly vulnerable or compromised component. But it is not proof that software is safe. It tells you what is inside—not whether a legitimate component has been altered or a trusted update has become malicious.
ASK YOUR TEAM
Five questions for your next leadership meeting
1. Which applications could materially disrupt the business?
Start with identity, financial systems, customer data, production operations and security platforms. If one compromised update could interrupt revenue, expose regulated information or disable a critical process, that software belongs at the top of the list.
2. Do we know what those applications depend on?
Knowing the vendor is not enough. When a widely used component is compromised, the company should not need days to determine whether it is exposed. If the answer cannot be found quickly, the organization does not have visibility. It has hope.
3. Who—or what—can change and publish the software?
The answer may include developers, contractors, automated accounts, build systems and release platforms. Those identities and processes can be as powerful as production administrators and should receive the same protection and monitoring.
4. Can we pause, test or reverse a trusted update?
Trusting the source should not mean deploying blindly. A mature organization should be able to move quickly while still testing, staging, monitoring and, when necessary, reversing critical updates.
5. How quickly can we identify and contain exposure?
When a supplier announces a compromise, leadership should expect fast answers: Are we using it? Where is it installed? What can it access? Can we isolate it? Who has authority to act?
The Real Test of Trust
The old standard was straightforward: choose a reputable vendor, review its controls and trust the software it delivers. That standard is no longer enough.
The better question is not, “Do we trust this vendor?” It is, “Can we recognize the moment that trust stops being deserved?”
That is the standard business leaders should demand from their security, technology and procurement teams.
The next major breach may not begin with someone selecting your company as the target. It may begin upstream, inside a package, platform or update your organization has already approved.
And by the time it reaches you, it may not look like an attack. It may look like trust.
The “TechTake’Sale’ByBill” Section of This Article
The Trust Equation: Building Internal Consensus Without Burning Your Political Capital
The most dangerous vulnerability in a software supply chain isn’t just bad code—it is the invisible, unverified trust we place in a web of vendors and sub-vendors. However, for the IT leader, there is an equally dangerous internal risk: the depletion of political capital. In my years experience, I have found that in major organizational decisions, management weighs the Cost of the Solution against the Seriousness of the Problem. If you misguide your organization by over-promising a "magic bullet" or failing to build a rational business case, you create a "credibility gap" that can take years to repair.
Building Consensus: The Power of the "Sad" Questions
To build consensus among your peers, you must shift from being a "teller" of technical features to a "seeker" of business implications. Peers in Finance or Operations often see new security protocols as a "hassle" that creates friction. To move them, you must use Implication Questions—the "sad" questions—to help them see the consequences of the status quo.
Instead of telling them we are at risk, ask: "If a compromised update from our most trusted financial software disables our billing system for 48 hours, what is the impact on our quarterly revenue?". When your peers articulate the pain themselves, you aren't "selling" them; you are problem-solving with them.
Management Strategy: Trading "Innovation" for "Safety"
When you move the conversation to the C-suite, the decision criteria shift. My familiarity in recessive or uncertain environments show that decision-makers prioritize safety over price or innovation. To win management approval for supply chain security, you must frame the concept not as a "new tool," but as a mechanism to protect the organization's reputation and stability.
- Avoid the "Feature Trap": Management does not want to hear about the technicalities of a Software Bill of Materials (SBOM). They want to know if they can recognize the moment trust stops being deserved.
- Establish the Focus of Power: Identification of the real decision-maker is often a "search for a needle in a haystack". Use your peers at the Focus of Dissatisfaction—those most affected by potential downtime—to help you reach those at the Focus of Power.
The "Zipper" Approach to Long-Term Influence
Successful internal selling requires Intimacy, which I define as being an "insider" rather than an "outsider". To achieve this, use a "zipper" or "player mapping" strategy: map your team members against their functional counterparts in other departments. This ensures that the "value" of your security concept is recognized at every level of the organization, rather than resting on a single, fragile relationship.
