JPMorgan has raised the alarm on the growing threat posed by modern software integration models. The global finance corporation released an open letter to its technology suppliers as a call for them to modernize their security or risk being cut off. It’s a bold, necessary move in an era where one weak link can unravel an entire organization's cyber defenses.

Security architecture must be modernized to keep pace with growing threats and ensure organizations can continue to operate safely. However, as well we know, visibility is the bedrock of any resilient security strategy. Without full, real-time insight into all assets, especially those brought in by third-party suppliers, organizations are effectively flying blind. Recent high-profile breaches in the retail sector have shown us that even the most sophisticated enterprises are vulnerable when blind spots exist in their supply chains.

So while the open letter places a lot of emphasis on third parties and their role in supply chain security, it shouldn’t divert responsibility away from businesses themselves. Organizations must take ownership and enforce compliance and security standards across their supplier ecosystem. When disaster strikes, it doesn’t matter where the fault lies, it’s only the victim who suffers.

Third-party risk is first-party responsibility

Expecting every supplier to meet high security standards is only part of the equation. Businesses can’t enforce what you can’t see, and right now, many don’t have real-time visibility into their own assets, let alone those of their partners.

The problem is, too many are still burying their heads in the sand. Many senior executives cling to the dangerous assumption that "the IT team has it covered" or that cyber insurance will magically fix everything after an attack. History is plagued by organizations who underinvested, or perhaps more accurately mis-invested, in cyber resilience and failed to properly understand the risk until they were dealing with a full-blown crisis.

Attacks on retail giants like Target and more recently M&S and the Co-op have shown us what happens when third-party risk is underestimated. These aren’t startups with immature IT, they’re household names with serious resources. And still, the breach came through third-party access points.

Some businesses are genuinely overwhelmed by the technical complexity and competing priorities, but others have simply been lulled into complacency by years of dodging cybersecurity incidents through sheer luck rather than good management.

But it’s not always deliberate ignorance. It often comes down to decision paralysis where leaders are confronted with an intimidating wall of threats and solutions and simply don't know where to begin. This is often combined with a reluctance to spend money when they themselves haven’t experienced an attack. The easiest approach therefore ends up being to delay making a decision. However this inaction just allows security gaps to grow larger by the day as attackers refine their methods.

The unfortunate reality is that many businesses only develop robust cybersecurity practices after suffering a significant breach when the damage is already done.

Boosting cyber resilience is not about adding more tools to an already extensive tech stack; it’s about ensuring that every part of that stack functions cohesively. Collectively, we need less complexity, more clarity and above all, the ability to continuously control. That’s how to build security that lasts.

At a minimum, cybersecurity should be treated like safety or finance at board-level, as something that is supported by automation, continuously monitored and managed and it starts with visibility. Full, continuous visibility across the entire tech stack, including third-party integrations, is the only way to manage modern threat paths. It’s not enough to trust a supplier’s word. You need evidence, you need monitoring, and you need to know the moment something changes.

Regulatory compliance also places huge importance on third party risk, which should be a big indicator that organizations need to take the proactive steps in ensuring that their third parties are secure. The Digital Operational Resilience Act (DORA), The Financial Conduct Authority (FCA), ISO 27001 and NIS 2 all mandate that third party risk is now a core compliance requirement.

So, while the knee-jerk response to JPMorgan’s letter might be to bolt on yet another tool, more tech isn’t always the answer. In reality, it often just adds complexity which works against businesses looking for greater cyber resilience.

Take ownership of your security

Managing third party risk isn’t something businesses can shift to their suppliers. Instead the Board must listen to their cyber teams who are crying out for the right systems and support. Only then can they take control and ensure they have the ability to monitor systems continuously, align security frameworks and surface evidence of compliance and risk in real time. That’s where the future of cybersecurity lies, and it will help them prepare for whatever new threats emerge.

If you’re still relying on supplier questionnaires and periodic audits to manage third-party risk, you’re already behind. Working with third-parties is a two way street and requires ongoing collaboration. Businesses are just as responsible for their own security, and must proactively hold partners accountable for their end. JPMorgan’s letter is a wake-up call, but the response shouldn’t be panic. It should be clarity and control.

