Supply chain security is a capability problem

Sarb Sembhi

CTO, Virtually Informed

Supply chain security is often discussed as a controls problem. Organisations ask suppliers to complete questionnaires, provide certifications, demonstrate compliance with standards, or confirm that specific technologies and processes are in place. These activities are important, but they can also create a misleading sense of assurance if they are treated as evidence of operational resilience by themselves.

The deeper issue is that supply chain security is fundamentally a capability problem.

Every security requirement imposed on a supplier assumes certain operational conditions already exist. It assumes the supplier can maintain visibility of systems and dependencies, sustain patching and monitoring activity, coordinate incident response, retain evidence, manage third-party relationships, and continue operating effectively under pressure. In practice, those assumptions are often unevenly distributed across the supply chain.

This matters because supply chains rarely consist of organisations with equivalent operational capability. A large enterprise, a hyperscale cloud provider, a regional data centre operator, a specialist software supplier and a ten-person managed service provider may all sit within the same dependency chain while operating with very different levels of time, staffing, governance structure and resilience capacity.

As resilience expectations increase, the hidden burden inside supply chain security also increases. The challenge is no longer simply implementing technical controls. It becomes the continuous coordination, interpretation, evidence production and operational maintenance required to sustain those controls over time.

One of the risks emerging across the ecosystem is that requirements can propagate faster than capability develops. Larger organisations and regulators understandably seek greater resilience and assurance from suppliers. However, suppliers themselves may still be trying to stabilise foundational operational capabilities such as asset visibility, access control, backup reliability or governance ownership. When progressively more advanced obligations are layered onto unstable foundations, organisations often compensate through documentation, attestations and external providers rather than through deeply integrated operational capability.

This creates an important distinction between evidence of structure and evidence of resilience.

A supplier may possess policies, certifications and security tooling while still lacking the operational conditions required to respond reliably during disruption. Equally, organisations consuming supplier services may overestimate the resilience actually present within their dependency chain because visibility is strongest at the point of onboarding and weakest during ongoing operation and change.

For supply chain security to improve meaningfully, the conversation needs to move beyond whether requirements have been transferred contractually. The more important question is whether the operational conditions required to sustain those expectations are realistically achievable across the ecosystem.

This does not mean lowering expectations. It means recognising that resilience is cumulative and dependent on foundations. Foundational operational hygiene, governance visibility, dependency awareness and coordination capability all matter because advanced resilience expectations cannot operate reliably without them.

If supply chain security is treated only as a compliance exercise, the result may be increasing evidence production without corresponding increases in operational resilience. If it is treated as a capability-development challenge, organisations can begin focusing not only on what suppliers should do, but on what conditions must exist for suppliers to sustain secure and resilient operations over time.

That distinction may become increasingly important as cyber resilience expectations continue to expand across critical infrastructure, digital services and interconnected supply chains.

Cyber Resilience Programme activities

techUK brings together key players across the cyber security sector to promote leading-edge UK capabilities, build networks and grow the sector. techUK members have the opportunity to network, share ideas and collaborate, enabling the industry as a whole to address common challenges and opportunities together. Visit the programme page here.

techUK Supply Chain Security Campaign Week 2026

Explore the key challenges and opportunities shaping secure and resilient supply chains through techUK’s Supply Chain Security Campaign Week 2026. Gain insight into cyber risk, defence, AI, resilience and public-private collaboration from across industry and government. Follow the campaign to access expert perspectives and practical approaches to strengthening supply chain security.

Explore campaign

Explore the responsibilities and cross-cutting areas of techUK's Cyber Resilience Programme

Click here to download our presentation

 

Upcoming events

20 May 2026

Securing the chain: innovation, accountability and resilience in supply chain security webinar

Online Webinar

28 May 2026

Government’s Cyber Resilience Pledge: techUK member briefing

Online Industry Briefing

29 June 2026

Strengthening the OT workforce: techUK roundtable

London and online Roundtable

Latest news and insights 

19 May 2026

How does security make UK technology supply chains faster, not slower?

19 May 2026

Supply chain security is a capability problem

19 May 2026

Cyber essentials and the supply chain: a leader’s guide

Learn more and get involved

 

Cyber Resilience updates

Sign-up to get the latest updates and opportunities from our Cyber Resilience programme.

 

 

Here are the five reasons to join the Cyber Resilience programme

Download

Join techUK groups

techUK members can get involved in our work by joining our groups, and stay up to date with the latest meetings and opportunities in the programme.

Learn more

 

Become a techUK member

Our members develop strong networks, build meaningful partnerships and grow their businesses as we all work together to create a thriving environment where industry, government and stakeholders come together to realise the positive outcomes tech can deliver.

Learn more

---

 

 Meet the team 

Jill Broom

Head of Cyber Resilience, techUK

Jill leads the techUK Cyber Resilience programme, having originally joined techUK in October 2020 as a Programme Manager for the Cyber and Central Government programmes. She is responsible for managing techUK's work across the cyber security ecosystem, bringing industry together with key stakeholders across the public and private sectors. Jill also provides the industry secretariat for the Cyber Growth Partnership, the industry and government conduit for supporting the growth of the sector. A key focus of her work is to strengthen the public–private partnership across cyber to support further development of UK cyber security and resilience policy.

Before joining techUK, Jill worked as a Senior Caseworker for an MP, advocating for local communities, businesses and individuals, so she is particularly committed to techUK’s vision of harnessing the power of technology to improve people’s lives. Jill is also an experienced editorial professional and has delivered copyediting and writing services for public-body and SME clients as well as publishers.

Email:

[email protected]

Website:

www.techuk.org/

LinkedIn:

https://www.linkedin.com/in/jill-broom-19aa824

Read lessmore

Annie Collings

Senior Programme Manager, Cyber Resilience, techUK

Annie is the Programme Manager for Cyber Resilience at techUK. She first joined as the Programme Manager for Cyber Security and Central Government in September 2023. 

In her role, Annie supports the Cyber Security SME Forum, engaging regularly with key government and industry stakeholders to advance the growth and development of SMEs in the cyber sector. Annie also coordinates events, engages with policy makers and represents techUK at a number of cyber security events.

Before joining techUK, Annie was an Account Manager at a specialist healthcare agency, where she provided public affairs support to a wide range of medical technology clients. She also gained experience as an intern in both an MP’s constituency office and with the Association of Independent Professionals and the Self-Employed. Annie holds a degree in International Relations from Nottingham Trent University.

Email:

[email protected]

Twitter:

anniecollings24

LinkedIn:

https://www.linkedin.com/in/annie-collings-270150158/

Read lessmore

Olivia Staples

Junior Programme Manager - Cyber Resilience, techUK

Olivia Staples joined techUK in May 2025 as a Junior Programme Manager in the Cyber Resilience team.

She supports the programs mission to promote cyber resilience by engaging key commercial and government stakeholders to shape the cyber resilience policy towards increased security and industry growth. Olivia assists in member engagement, event facilitation and communications support.

Before joining techUK, Olivia gained experience in research, advocacy, and strategic communications across several international organisations. At the Munich Security Conference, she supported stakeholder engagement and contributed to strategic communications. She also worked closely with local and national government stakeholders in Spain and Italy, where she was involved in policy monitoring and advocacy for both public and private sector clients.

Olivia holds an MSc in Political Science (Comparative Politics and Conflict Studies) from the London School of Economics (LSE) and a BA in Spanish and Latin American Studies from University College London (UCL).

Outside of tech, Olivia enjoys volunteering with local charities and learning Norwegian.

Email:

[email protected]

Read lessmore

 

Authors

Sarb Sembhi

CTO, Virtually Informed