R06 — Supply Chain Compromise

Q: How do security teams mitigate Supply Chain Compromise?

In CISO Game, Supply Chain Compromise is reduced by Detection (35%), Prevention (30%), Response (20%), Recovery (15%) subscores. Real-world programs use the same control families, with category investments such as Open-Source SIEM (self-hosted), Commercial SIEM (mid-market), Enterprise SIEM (heavy/full-featured).

Q: Why does Supply Chain Compromise matter to a CISO?

Severity 9 (Catastrophic). Supply chain compromise (SolarWinds, Kaseya, MOVEit, 3CX, XZ Utils) is the risk category that most directly tests a program's maturity. There's no single product that fixes it — it requires SBOM discipline, vendor security attestation review, build-system integrity controls, and the willingness to remove software whose vendor isn't transparent about their own SDLC. Mitigated only modestly by tooling; mostly mitigated by procurement + governance discipline.

Stress-test Supply Chain Compromise in the Standard run scenario Mid-size SaaS company. Balanced challenge.

Start playing →

R06 External Severity 9 · Catastrophic Residual offset +15

Detection-heavy because supply-chain attacks bypass prevention.

What is Supply Chain Compromise?

Detection-heavy because supply-chain attacks bypass prevention. CISO Game tracks this as R06 in the live risk register, severity 9 (Catastrophic), category External.

How does CISO Game model Supply Chain Compromise?

Exposure for R06 runs from 0 to 100, recomputed live as you buy, cancel, or reassign products. How the exposure model works →

Real-world parallel

Supply chain compromise (SolarWinds, Kaseya, MOVEit, 3CX, XZ Utils) is the risk category that most directly tests a program's maturity. There's no single product that fixes it — it requires SBOM discipline, vendor security attestation review, build-system integrity controls, and the willingness to remove software whose vendor isn't transparent about their own SDLC. Mitigated only modestly by tooling; mostly mitigated by procurement + governance discipline.

How do security teams mitigate Supply Chain Compromise?

The dominant subscore levers for this risk are:

Detection subscore — weight 35%
Prevention subscore — weight 30%
Response subscore — weight 20%
Recovery subscore — weight 15%

Residual offset: +15 exposure points are structural — no product fully removes them. Real-world parallels: zero-day windows, vendor monoculture, regulator unpredictability.

Which investments mitigate Supply Chain Compromise?

Products in CISO Game that reduce exposure to R06:

Which related risks should you also watch?

Risks with similar dominant subscores or shared category — addressing one often helps the others:

Why does Supply Chain Compromise matter to a CISO?

External adversarial risks like supply chain compromise are the risks boards expect their CISO to talk about. They drive the strongest demand for detection + response capability and the strongest emotional response in the boardroom.

How can you test your mitigation strategy?

Click Play CISO Game free to see R06 appear live in your risk register and watch each purchase move the exposure number in real time. No signup required.

Stress-test Supply Chain Compromise in the Standard run scenario →