Vendors Need to ‘Do Better’, According to Former US Security Chief

Cyber Resilience | Leadership | Supply Chain | Vendor Management

Posted: Wednesday, Jun 10

KBI.Media
$
Vendors Need to ‘Do Better’, According to Former US Security Chief

Karissa Breen, more commonly known as KB, is crowned a LinkedIn ‘Top Voice in Technology’, and widely recognised across the global cybersecurity industry. A serial entrepreneur, she is the co-founder of the TMFE Group, a portfolio of cybersecurity-focused businesses spanning an industry-leading media platform, a specialist marketing agency, a content production studio, and the executive headhunting firm, MercSec. Now based in the United States, KB oversees US editorial operations and leads the expansion of the group’s media footprint across North America, while maintaining a strong presence in Australia, and the broader global market. She is the former Producer and Host of the streaming show 2Fa.tv, and currently sits at the helm of journalism for the group’s flagship arm, KBI.Media, the independent cybersecurity media company. As a cybersecurity investigative journalist, KB hosts her globally-renowned podcast, KBKast, where she interviews leading cybersecurity practitioners, CISOs, government officials including heads-of-state, and industry pioneers from around the world. The podcast has been downloaded in over 65 countries with more than 400,000 global downloads, influencing billions of dollars in cybersecurity budgets. KB is known for asking the hard questions and extracting real, commercially relevant insights. Her approach provides an uncoloured, strategic lens on the evolving cybersecurity landscape, demystifying complex security issues and translating them into practical intelligence for executives navigating risk, regulation, and rapid technological change.

i 3 Table of Contents

Vendors Need to ‘Do Better’, According to Former US Security Chief

From Karissa Breen

Former top US cybersecurity official and cyber celebrity, Chris Krebs, reveals that the world is more unstable, more exposed and more vulnerable than most executives are willing to admit.

Krebs, formerly the Founding Director of the Cybersecurity and Infrastructure Security Agency (CISA), says companies are operating in a ‘chaotic’ risk environment where traditional playbooks are breaking down and fast.

Speaking in a recent interview, Krebs says “It’s really hard to make the case right now that the world’s a stable place,” pointing to geopolitical tensions, fragmented alliances and volatile cyber actors.

According to Krebs, even the biggest companies on the planet don’t trust their own technology suppliers at times.

Krebs spoke about the continuous vexation from major financial institutions, including JPMorgan Chase, whose top security leadership has publicly pushed vendors to “do better” when it comes to protecting customer environments. The problem, according to Krebs, is systemic.

To summarise what Patrick Opet wrote in the open letter ahead of RSA Conference 2025, the CISO forewarned that the modern SaaS model is creating systemic cybersecurity risk.

He argues vendors are prioritising speed over security, delivering products that aren’t secure by default, while enterprises are left carrying the risk without enough visibility or control.

The letter also suggests SaaS is “quietly enabling cyber attackers,” amplifying the impact of breaches across interconnected systems.

Companies spent years locking down their internal systems, only now to reopen the doors through third party software integrations. “We’ve segmented networks,” he explained, “but then we’ve allowed trusted access back in through SaaS providers.”

This draws on the metaphor that the front door is locked, but the side entrance is wide open.

Krebs argues that most corporate risk frameworks simply can’t keep up with today’s tempo of threats. Each day a new threat, a new report from a vendor claiming to fix this and that.

Boards are drowning in expanding risk registers, which means adding new threats faster than they can manage them. “That’s just not a sustainable pace,” he adds.

Krebs added five foundational cracks, which are reconfiguring the cybersecurity landscape and how he sees it today.

Old assumptions are dead – Geopolitical stability can no longer be taken for granted
Partnerships are weakening – Even trusted alliances are under strain
Power is shifting fast – Decisions that once took months now happen overnight
Events are accelerating – Attacks unfold faster than governance can respond
Information is polluted – Leaders can’t always trust what they’re seeing

What continues to blow Krebs hair back is that companies know certain technology vendors are risky, but keep using them anyway.

Why? Contracts, cost, complexity. It’s not as easy to ‘oust’ a vendor at the drop of a hat.

“There are vendors that time over time… have vulnerabilities exploited by ransomware actors, by the Chinese, by the Russians,” Krebs said.

Yet organisations continue to rely on them, often because replacing them would be too disruptive.

Even worse, some companies knowingly run outdated systems. Krebs recounted a real world scenario where a team chose not to update a system, only for it to be then immediately compromised.

When it comes to government oversight, Mr Krebs is on the fence about this.

The industry leader warned that overregulation, particularly in Europe can stifle innovation. But in the United States, he suggested the pendulum may be swinging too far in the opposite direction, allowing insecure products to remain on the market. This an impact on the direct business sure, but the overall supply chain which has cascading impacts.

“Every month, the same vendors have issues,” he said, calling for stronger accountability standards.

To zoom out, Krebs pointed to global tensions involving nations like Russia, China and Iran, where security operations increasingly precede physical ones, which then leads into kinetic warfare.