When nearly half of senior executives admit they can’t see what’s in their software supply chain, we have a problem. A new global survey of 1,500 C-suite and senior executives reveals that 49% lack the visibility needed to understand their software supply chain risks. More troubling: 80% of those with poor visibility experienced a breach in the past year, compared to just 6% of organizations with high visibility.
The survey, conducted by FT Longitude for managed security services provider LevelBlue, exposes a fundamental disconnect between executive awareness and operational reality. While leaders recognize the threat—40% of CEOs identify software supply chains as their biggest security risk—only 25% plan to prioritize supplier security engagement in the next year.
The Visibility Gap
Software supply chains have become incredibly complex. Modern applications often incorporate hundreds of third-party components, open-source libraries, and dependencies that developers rarely inventory comprehensively. Each component represents a potential attack vector, but organizations struggle to maintain accurate records of what they’re actually using.
The survey shows that only 23% of executives are confident they have high visibility into their software supply chain. This creates a dangerous blind spot where vulnerabilities can hide in plain sight. When the SolarWinds attack compromised thousands of organizations through a single software update, it demonstrated how supply chain blindness translates directly into business risk.
The visibility problem isn’t just about knowing which components exist. Organizations need to understand component versions, licensing terms, known vulnerabilities, update status, and dependency relationships. Without this information, security teams can’t assess risk or respond effectively when new threats emerge.
The CEO-CTO Divide
Interestingly, the survey reveals different risk perceptions across the C-suite. While 40% of CEOs view software supply chains as their top security concern, only 29% of CIOs and 27% of CTOs share this perspective. This disconnect suggests that technical leaders might be underestimating supply chain risks or focusing on other security priorities.
This gap matters because security initiatives need both executive sponsorship and technical implementation. When CEOs see the business risk but CTOs don’t prioritize the technical solution, organizations get stuck in planning cycles without meaningful progress.
The divide might also reflect different time horizons. CEOs thinking about enterprise risk management and compliance requirements naturally focus on supply chain visibility as a fundamental business capability. CTOs dealing with immediate development and deployment pressures might view supply chain tracking as overhead that slows down delivery.
Beyond Compliance Checkbox
Software Bills of Materials (SBOMs) have emerged as the primary tool for supply chain visibility, but many organizations treat them as compliance artifacts rather than operational tools. Generating an SBOM for regulatory purposes is different from using SBOM data to make security decisions.
The Futurum Group’s separate survey of 110 security leaders found that 30% expect to pilot SBOM initiatives within 24 months. However, the real value comes from operationalizing SBOM data—using it for vulnerability management, license compliance, and risk assessment rather than just regulatory reporting.
Organizations with high supply chain visibility don’t just collect SBOM data; they integrate it into their security workflows. They use automated tools to track component updates, monitor vulnerability feeds, and trigger security reviews when high-risk components are introduced. This operational approach explains why they experience dramatically fewer breaches.
The Analytics Challenge
Collecting supply chain data is only the first step. Organizations need analytics capabilities to turn raw SBOM information into actionable insights. As LevelBlue’s Theresa Lanowitz points out, the challenge becomes acquiring data analytics capability to transform information into actionable insights.
This analytics gap explains why many SBOM initiatives stall after initial implementation. Organizations generate comprehensive component inventories but lack the tools or processes to act on that information. They know what components they’re using but can’t efficiently answer questions like: “Which applications are affected by this new vulnerability?” or “What’s our exposure to this specific vendor?”
Effective supply chain analytics requires correlation across multiple data sources: SBOMs, vulnerability databases, threat intelligence feeds, and deployment inventories. Organizations need to connect component-level information with application architecture and business impact assessments.
Shifting Security Ownership
The survey reveals an important trend in security responsibility distribution. Half of respondents report that application development teams now own responsibility for application security, while only 21% rely solely on security budget funding for supply chain initiatives.
This shift toward developer-owned security makes sense given that developers select most third-party components and understand application architecture best. However, it also creates coordination challenges. Security teams lose direct control over supply chain decisions but remain accountable for overall risk management.
The most successful organizations establish clear governance frameworks that give developers autonomy within defined security boundaries. They provide tools and processes that make secure choices easier rather than relying on policy enforcement alone. Automated component scanning, approved component libraries, and security-focused development workflows help bridge the gap between developer autonomy and security oversight.
Investment Priorities
Security leaders are responding to supply chain risks with targeted technology investments. Application Security Posture Management (ASPM) and DevSecOps automation lead the priority list, followed by Security Composition Analysis (SCA) tools, API security, and Dynamic Application Security Testing (DAST).
These investment patterns reflect a broader shift toward automated security integration rather than manual security reviews. Organizations are building security capabilities directly into development workflows, making supply chain visibility and vulnerability management automatic rather than episodic.
The emphasis on automation makes practical sense given the scale of modern software supply chains. Manual tracking and assessment simply can’t keep pace with the rate of component updates and new vulnerability discoveries. Automated tools that continuously monitor supply chain health and flag exceptions for human review provide the only scalable approach.
The Time Factor
Perhaps most concerning, the survey shows a time lag between risk recognition and action. While executives acknowledge supply chain risks, implementation timelines stretch over months or years. This delay creates windows where known risks remain unaddressed.
The gap between awareness and action often reflects organizational complexity rather than technical challenges. SBOM generation and basic vulnerability scanning can be implemented relatively quickly. However, integrating supply chain data with existing security workflows, training teams on new processes, and establishing governance frameworks takes time.
Organizations that move faster typically start with high-risk applications and expand gradually rather than attempting comprehensive coverage immediately. They focus on operational integration rather than perfect data collection, using 80% visibility to make better security decisions while working toward comprehensive coverage.
Looking Forward
Software supply chain security is becoming table stakes rather than competitive advantage. Regulatory requirements, customer security questionnaires, and cyber insurance applications increasingly require supply chain visibility documentation. Organizations that build these capabilities proactively will find themselves better positioned for both compliance and actual risk reduction.
The survey data suggests we’re in a transition period where leading organizations have achieved meaningful supply chain visibility while others struggle with basic component inventory. This gap will likely narrow as tools mature and regulatory pressure increases.
The organizations that experience 6% breach rates instead of 80% aren’t necessarily smarter or better funded. They’ve simply invested in visibility tools and processes that let them see and respond to supply chain risks before they become security incidents. In an environment where software supply chain attacks are increasing in frequency and sophistication, that visibility might be the difference between routine operations and crisis management.