Episode #13 | January 2026

Alice in Supply Chains is a monthly podcast by based on the Alice in Supply Chains newsletter - that provides interesting discussions and insights on all things related to third-party cyber risk management (TPCRM). It's hosted by two leading voices in the industry, Tenchi Security's Co-founder and CTO Alexandre Sieira & The Defender's Initiative Principal Researcher, Adrian Sanabria, and it promises expert opinions and takeaways to help audiences navigate the complex cybersecurity landscape.1. 2026 OutlookAI hits "put up or shut up" time—needs to prove enterprise value beyond demosGeopolitical fragmentation accelerating, impacting supply chain dependenciesChina signaling supply chain independence (banning US/Israeli security vendors, declining Nvidia H200s)Upcoming episode with Tony Martin-Vegue on cyber risk quantificationRSA Conference: Tenchi hosting events at Harlan Records, Sun–Wed, during RSA week2. AnnouncementsUpcoming episode with Tony Martin-Vegue on cyber risk quantificationRSA Conference: Tenchi hosting events at Harlan Records, Sun–Wed, during RSA week3. Stories coveredStory 1: ENISA NIS2 SurveySurvey of 1,080 professionals across 27 EU countries on cybersecurity investments.Top investment driver: Regulatory compliance (70%), far ahead of proactive risk management (42%)Hardest to implement: Vulnerability management (#1), TPRM (#2)Supplier inventory: Under 10% of companies maintain one—current TPRM approaches don't scaleTop 2026 concerns: Ransomware and supply chain attacks (~47%)https://www.enisa.europa.eu/publications/nis-investments-2025Story 1 Resourceshttps://www.enisa.europa.eu/publications/nis-investments-2025Story 2: SOC 2 Fraud AllegationsSocial media discussions allege compliance platforms and auditors are rubber-stamping SOC 2 reports.Claims of nearly identical reports across different companiesNo AICPA enforcement—peer review doesn't verify actual control testingPost-breach cases (e.g., PowerSchool) reveal SOC 2s claiming controls that weren't implementedTakeaway: Don't over-trust SOC 2s for critical third parties; consider independent verificationStory 2 Resourceshttps://www.linkedin.com/posts/troyjfine_details-have-emerged-regarding-a-widespread-activity-7415043499676483584-nI5Zhttps://www.linkedin.com/posts/sieira_details-have-emerged-regarding-a-widespread-activity-7415394996184424449-CSzOhttps://infosec.exchange/@AlexandreSieira/115865691003110478Story 3: Japan & Korea Cybersecurity RegulationsBoth countries responding to major 2025 breaches (Asahi, SK Telecom, KT, Coupang) with new rules.Mandatory breach reporting with government actively assisting incident responseKorea: GDPR-style fines up to 3% of annual sales for repeat breachesJapan: Expanding cyber intelligence capabilities, reflecting reduced reliance on US protectionTPRM angle: Public breach disclosure would enable better third-party "background checks" than self-reported questionnairesStory 3 Resourceshttps://www.centerforcybersecuritypolicy.org/insights-and-research/japans-new-active-cyber-defense-law-a-strategic-evolution-in-national-cybersecurityhttps://www.japantimes.co.jp/news/2025/12/23/japan/crime-legal/new-cybersecurity-strategy-police-sdf/https://www.koreatimes.co.kr/southkorea/20251212/science-minister-vows-punitive-fines-against-companies-with-repeated-security-breachesOther Resources MentionedThe Alice in Supply Chains Newsletter https://www.linkedin.com/newsletters/alice-in-supply-chains-6976104448523677696/Episode 440 of the Enterprise Security Weekly podcast: why cybersecurity predictions are so bad https://youtu.be/qyn7F2NPCMs?si=P0bhGQtwwHXrnIhWPrior episode with AJ Yawn discussing how the SOC 2 sausage gets made https://www.tenchisecurity.com/en/alice-in-supply-chains/episode-7-hoxz2"The Security Products We Deserve" talk https://www.youtube.com/watch?v=GHuQC1qLnJ4Stay safe and stay vigilant!