TL;DR: The shift from periodic third-party assessments to continuous, threat-informed supply chain security took center stage at the Odyssey 2026 conference in Miami, with nearly 300 CISOs and risk leaders discussing real-time operations, nation-state pressure, and automation, according to SecurityScorecard. The operating model is moving from checkbox review toward evidence-driven vendor oversight, where timing and context matter more than annual scorecards.
NHIMG editorial — based on content published by SecurityScorecard: Odyssey 2026 customer conference coverage
By the numbers:
- 300 CISOs, 0 CISOs, security operations leaders, and third-party risk management professionals attended Odyssey in Miami on January 26-27.
- 90% of companies rely on software and services from roughly 150 third-party providers.
- Odyssey brought together nearly 300 CISOs, security operations leaders, and third-party risk management professionals in Miami on January 26-27.
Questions worth separating out
Q: How should security teams govern supplier access in continuous third-party risk programmes?
A: Security teams should treat supplier access as part of the identity lifecycle, not as a static vendor attribute.
Q: Why do periodic vendor assessments fail against supply chain threats?
A: Periodic assessments fail because they capture a point in time, while supplier environments, privileges, and exposures change continuously.
Q: What do organisations get wrong about third-party risk scores?
A: They often treat scores as a decision rather than a signal.
Practitioner guidance
- Map supplier-held identities to business criticality Build an inventory of supplier-issued accounts, API keys, support credentials, and federation links, then rank them by downstream system access and data reach.
- Replace annual vendor reviews with continuous control checks Track access scope, control drift, and exposure changes for high-risk suppliers throughout the year, not just at review time.
- Tie threat intelligence to supplier escalation rules Define trigger conditions that raise monitoring or response when a supplier appears in active threat reporting, has exposed services, or is linked to current attack campaigns.
What's in the full article
SecurityScorecard's full post covers the conference detail this analysis intentionally leaves for the source:
- Session-level discussion of threat-informed third-party risk management and how practitioners are operationalising it.
- The roadmap context behind upcoming continuous monitoring capabilities and how attendees responded to them.
- Panel and keynote takeaways from CISOs, policy leaders, and practitioners on supply chain resilience.
- Examples of how SecurityScorecard expects customers to integrate continuous monitoring with existing security operations.
👉 Read SecurityScorecard's Odyssey 2026 coverage of continuous supply chain risk operations →
Supply chain risk operations: what continuous monitoring changes for CISOs?
Explore further
Continuous supply chain security is now an identity governance problem as much as a vendor risk problem. Once suppliers hold service accounts, tokens, support credentials, or federated access, their security state becomes part of the enterprise identity perimeter. Static questionnaires cannot govern those relationships at the pace modern supplier environments change. Practitioners should treat third-party access as a lifecycle issue, not an annual review artifact.
A question worth separating out:
Q: Who is accountable when a supplier compromise affects downstream customers?
A: Accountability is shared, but the customer remains responsible for governing the access it allows and the monitoring it performs. Regulators and auditors will expect evidence of supplier due diligence, lifecycle control over third-party access, and timely response when conditions change. Contract language does not replace operational accountability.
👉 Read our full editorial: Continuous supply chain risk operations are replacing periodic assessments