In its recent open letter to suppliers, JPMorgan Chase CISO, Patrick Opet, didn’t mince words: the era of shared cyber risk has arrived, and responsibility isn’t just centralized, it’s collective. If you’re part of a supply chain, you are part of the attack surface.
This shift is overdue.
As global enterprises increasingly lean on vendors, cloud platforms, and third-party code to drive transformation, the unintended consequence has been a blurring of digital perimeters. The “extended enterprise” model-efficient, scalable, and agile has made organizations more porous and vulnerable than ever before.
And attackers know it. Software supply chains have become a prime target not just for data theft, but for systemic disruption.
The Risk Has Changed, Have Our Controls?
Many organizations still approach third-party risk with outdated tools and assumptions:
- Firewalls and endpoint protections can meaningfully defend against vendor-originated breaches.
- Questionnaires and periodic audits are enough to evaluate supplier risk posture.
- Segmentation within shared environments is functionally equivalent to true isolation.
These are comforting illusions, but illusions, nonetheless.
What the letter underscores is not just a need for better hygiene, but for fundamentally different architecture. Architecture that doesn’t just restrict access but assumes compromise, contains it, and preserves operational integrity even when components fail.
This isn’t just a compliance issue. It’s an existential one.
Isolation as a Strategic Imperative
The best way to mitigate supplier risk may not be to harden every link; it’s to de-risk the chain entirely. Increasingly, forward-leaning organizations are rethinking the principle of proximity when it comes to third-party interaction. Do vendors need to be connected to core systems to be effective? Do code evaluations require shared infrastructure? Does productivity demand exposure?
What if instead, all high stakes work activities like supplier onboarding, software testing, and shared development happened in isolated environments, completely detached from your networks and data?
Not simulated, not segmented but isolated in the cloud. Ephemeral, auditable, and surgically permissioned.
That’s the emerging model many cybersecurity leaders are beginning to explore. It’s not just “Zero Trust” in access, but zero assumption in infrastructure. An operating model where isolation isn’t the exception for high-risk activity, but it is the norm.
Security That Moves at the Speed of Business
This isn’t a call for lockdowns or friction. In fact, isolation done right, can accelerate innovation:
- M&A integrations no longer wait months for IT readiness.
- Fraud analysts don’t need burner devices or shadow IT workarounds.
- Developers can test third-party libraries in production-like conditions without production risk.
Isolation doesn’t slow teams down. It just draws the right boundary lines around where risk is allowed to exist-and where it’s not.
What Comes Next
The letter should be read not just as a set of expectations for suppliers but as a preview of what enterprise resilience will require moving forward.
The organizations that thrive in this landscape will be those that design for failure, assume compromise, and still deliver with speed and confidence. They’ll embrace architectures that don’t just mitigate risk but eliminate whole categories of it through structural change.
It’s time to stop managing around risk-and start architecting it out.
Experience how isolation-first architecture can eliminate supply chain risk, without slowing your team down.
