Alice in Supply Chains is a monthly podcast by based on the Alice in Supply Chains newsletter - that provides interesting discussions and insights on all things related to third-party cyber risk management (TPCRM).

It's hosted by two leading voices in the industry, Tenchi Security's Co-founder and CTO Alexandre Sieira & The Defender's Initiative Principal Researcher, Adrian Sanabria, and it promises expert opinions and takeaways to help audiences navigate the complex cybersecurity landscape.

1. 2026 Outlook

• AI hits "put up or shut up" time—needs to prove enterprise value beyond demos
• Geopolitical fragmentation accelerating, impacting supply chain dependencies
• China signaling supply chain independence (banning US/Israeli security vendors, declining Nvidia H200s)

• Upcoming episode with Tony Martin-Vegue on cyber risk quantification
• RSA Conference: Tenchi hosting events at Harlan Records, Sun–Wed, during RSA week

2. Announcements

• Upcoming episode with Tony Martin-Vegue on cyber risk quantification

• RSA Conference: Tenchi hosting events at Harlan Records, Sun–Wed, during RSA week

3. Stories covered

Story 1: ENISA NIS2 Survey
Survey of 1,080 professionals across 27 EU countries on cybersecurity investments.

• Top investment driver: Regulatory compliance (70%), far ahead of proactive risk management (42%)
• Hardest to implement: Vulnerability management (#1), TPRM (#2)
• Supplier inventory: Under 10% of companies maintain one—current TPRM approaches don't scale
• Top 2026 concerns: Ransomware and supply chain attacks (~47%)

• https://www.enisa.europa.eu/publications/nis-investments-2025

Story 1 Resources

• https://www.enisa.europa.eu/publications/nis-investments-2025
  

Story 2: SOC 2 Fraud Allegations
Social media discussions allege compliance platforms and auditors are rubber-stamping SOC 2 reports.

• Claims of nearly identical reports across different companies
• No AICPA enforcement—peer review doesn't verify actual control testing
• Post-breach cases (e.g., PowerSchool) reveal SOC 2s claiming controls that weren't implemented
• Takeaway: Don't over-trust SOC 2s for critical third parties; consider independent verification

Story 2 Resources

• https://www.linkedin.com/posts/troyjfine_details-have-emerged-regarding-a-widespread-activity-7415043499676483584-nI5Z
• https://www.linkedin.com/posts/sieira_details-have-emerged-regarding-a-widespread-activity-7415394996184424449-CSzO
• https://infosec.exchange/@AlexandreSieira/115865691003110478

Story 3: Japan & Korea Cybersecurity Regulations
Both countries responding to major 2025 breaches (Asahi, SK Telecom, KT, Coupang) with new rules.

• Mandatory breach reporting with government actively assisting incident response
• Korea: GDPR-style fines up to 3% of annual sales for repeat breaches
• Japan: Expanding cyber intelligence capabilities, reflecting reduced reliance on US protection
• TPRM angle: Public breach disclosure would enable better third-party "background checks" than self-reported questionnaires

Story 3 Resources

• https://www.centerforcybersecuritypolicy.org/insights-and-research/japans-new-active-cyber-defense-law-a-strategic-evolution-in-national-cybersecurity
• https://www.japantimes.co.jp/news/2025/12/23/japan/crime-legal/new-cybersecurity-strategy-police-sdf/
• https://www.koreatimes.co.kr/southkorea/20251212/science-minister-vows-punitive-fines-against-companies-with-repeated-security-breaches

Other Resources Mentioned

• The Alice in Supply Chains Newsletter https://www.linkedin.com/newsletters/alice-in-supply-chains-6976104448523677696/
• Episode 440 of the Enterprise Security Weekly podcast: why cybersecurity predictions are so bad https://youtu.be/qyn7F2NPCMs?si=P0bhGQtwwHXrnIhW
• Prior episode with AJ Yawn discussing how the SOC 2 sausage gets made https://www.tenchisecurity.com/en/alice-in-supply-chains/episode-7-hoxz2
• "The Security Products We Deserve" talk https://www.youtube.com/watch?v=GHuQC1qLnJ4

Stay safe and stay vigilant!