Looking to streamline your TPRM? Join our Product Deep Dive Webinar with live Q&A!
Register Now
Blog
Resources
Blog
Breaches
eBooks, reports, & more
Events
News
Cybersecurity
Categories
Attack Surface Management
Company News
Compliance and Regulations
Cybersecurity
Data Breaches
DevOps
Human Cyber Risk
Risks and Vulnerabilities
Third-Party Risk Management
Vendor Risk Management
Shai-Hulud's True Lesson for CISOs: A Crisis of Communication
Last updated
December 1, 2025
{x} minute read

Shai-Hulud's True Lesson for CISOs: A Crisis of Communication

Download the PDF guide
Free trial
Written by
Phil Ross
Chief Information Security Officer
Phil is a Forrester Zero Trust Strategist leveraging decades of experience in enterprise cybersecurity architectures.
Reviewed by
Greg Pollock
Director of Research and Insights
Greg is a CISA-certified cybersecurity researcher who holds multiple patents for data leak detection. His findings have been featured in The New York Times, Forbes, and Wired.
Table of contents

The Shai-Hulud worm wasn't just a sophisticated supply chain attack; its most important lesson was about a crisis of communication. The attack thrived in the organizational gap between security policy and the daily realities of software development, a gap that exists in most companies. 

Defending against the next software supply chain attack requires more than a new tool; it demands a strategic shift from imposing controls to forging a genuine partnership with engineering.

Starting the conversation: A CISO's questions for engineering

After a major security event, your first impulse might be to demand technical reports. A more powerful starting point, however, is a simple conversation. 

The goal isn't for CISOs to collect all the answers, but to sit down with engineering leadership and collaboratively probe for weaknesses. Don't think of it as an audit, but as a dialogue to uncover shared risks and align on priorities. 

The quality of your defense isn’t determined by the tech you buy, but by the conversations you have before a crisis hits.

Here are four key discussion areas to get you started.

1. The "first signal" test

Many teams rely on automated checkers, but the real test is what happens after an alert is generated. The most sophisticated attacks create quiet, disconnected signals across different tools and teams. Understanding the complete flow of information and the readiness of a unified response team is crucial to containing a threat quickly.

To truly gauge this readiness and map out that information flow, start by asking a series of practical questions:

  • If a build unknowingly included a compromised package, where would the very first signal of trouble appear?
  • Would that signal appear in an engineering tool (like a CI/CD log) or a security tool (like a network monitor)? 
  • Who is responsible for connecting the dots between signals?
  • When an alert fires, where does it flow, who reviews it, and how quickly?
  • Do we have a documented, joint playbook for a supply chain compromise that clearly defines roles, communication channels, and technical procedures?
  • Have we run tabletop exercises with both security and engineering to ensure everyone knows their role before a real crisis hits?

2. The blast radius problem

In the first hours of a response, speed is everything. The ability to quickly produce a complete map of every application running compromised code is essential. 

A Software Bill of Materials (SBOM) provides this map, moving it from a simple compliance artifact to your most critical response tool in a crisis. However, a SBOM is only useful if it's accurate, accessible, and integrated into your response plan. 

The following questions can help you assess your true readiness:

  • How quickly could we produce a complete map of every application and system running compromised code?
  • Is generating an SBOM a standard, automated part of our build process for 100% of our production applications, or is it an emergency exercise we are not prepared for?
  • Is our SBOM accurate and readily accessible to the incident response team, allowing them to instantly understand the blast radius?
  • Beyond just having an SBOM, have we practiced using it during incident response drills to ensure it's an effective tool for rapid containment?
  • Are SBOMs published to a central repository, and is every SBOM entry tied to a clear owner/team?

3. The blind spot analysis

Different development ecosystems carry unique risks. A comprehensive understanding of these language-specific nuances and a formal process for vetting the open-source software (OSS) that engineering teams rely on are critical.

Conducting a true blind spot analysis goes beyond simply scanning for known vulnerabilities; it requires a strategic review of how you select, manage, and prioritize the open-source components you depend on.

You can begin that review by asking:

  • Do we have a clear picture of the language-specific risks across our entire tech stack, like the risk of arbitrary shell commands in PHP's Composer?
  • Do we have a formal, lightweight process for introducing new dependencies, including evaluating a library's maintenance history and community support?
  • Have we worked with senior engineers to identify which dependencies pose the greatest systemic risk? 
  • Have we mapped out which libraries are used across multiple critical applications, where a single compromise would have the widest blast radius?
  • How do we translate raw vulnerability scores into a meaningful business context, so that both teams can agree on what to prioritize?

Diagnosing the disconnect: Why these questions are hard to answer

If these questions are difficult to answer, it’s not a sign of failure. It's a symptom of a systemic disconnect common in most tech organizations. These gaps arise because teams have different priorities, metrics, and tools. 

Understanding these root causes is the first step toward fixing them.

  • Productivity vs. protection: At its heart, the conflict is a battle of competing incentives. Engineering teams use open-source software (OSS) for its convenience and speed. The security team, mandated to ensure caution, is often perceived as a bottleneck. This creates a cultural divide where security’s need for safety seems directly at odds with engineering's drive for speed.
  • The trust vs. verify dilemma: The open-source ecosystem is built on implicit trust, but this trust is also a critical vulnerability. Incidents like left-pad and Shai-Hulud demonstrate how this trust can be exploited. We must evolve our thinking to reduce our dependency count and focus on a curated set of libraries from trustworthy creators. This requires a difficult conversation: true trust often means paying for the critical software we use.
  • The visibility gap: The most sophisticated attacks create quiet, disconnected signals across different tools. Though Product Security teams are designed to bridge this gap, organizations lacking this function, or where it isn't deeply integrated, silos persist: the security team monitors network traffic while engineering watches build logs. 
Without a dedicated team to bridge the signal visibility gap between tools, attackers can (and likely will) operate freely in this blind spot.

Building the bridge: A framework for a joint alliance

Lasting change requires a deliberate framework for action. The goal is to move security from a reactive, tool-centric function to a proactive, people-centric posture built on collaboration. 

This framework rests on three pillars.

Pillar 1: Create a shared language & goals

An effective partnership begins with speaking the same language.

  • Establish clear guardrails for OSS: Work with engineering to create a lightweight process for vetting new dependencies, evaluating their maintenance history, and community support.
  • Translate risk, not just CVEs: A raw CVSS score lacks business context. A "critical" flaw in a test environment might be less urgent than a "medium" flaw in a production authentication service. Create a joint risk model that combines vulnerability data with project health metrics (like the OpenSSF Scorecard) and business context to create a meaningful priority list.
  • Identify 'crown jewel' dependencies: Identify your 'crown jewel' applications — the systems most critical to the business. Then, this analysis can be extended to the supply chain by working with engineering to map their underlying dependencies. This will reveal a small number of foundational libraries that, if compromised, would create a catastrophic risk across multiple critical systems. This focused list of shared, high-impact dependencies should become a top priority for your most intensive monitoring efforts.

Pillar 2: Pave the secure road (a phased approach)

The best security controls are invisible, making the secure path the easiest option for developers.

  • Phase 1 (1-6 months): Master the fundamentals. Establish total visibility by implementing a best-in-class Software Composition Analysis (SCA) tool. Simultaneously, automate the generation of SBOMs for 100% of production applications as a non-negotiable step in your CI/CD pipeline. Implementing a Cyber Risk Posture Management platform will further bridge visibility gaps between tools and attack surfaces.
  • Phase 2 (6-12 months): Advanced risk scoring. Enrich your data by integrating OpenSSF Scorecards into your pipeline for automated health checks on new dependencies. Use your "Crown Jewel" list to focus resources and apply stricter policies where they matter most.
  • Phase 3 (12+ months): Proactive and behavioral monitoring. Move beyond known vulnerabilities by adopting tools that detect risky patterns, like a library suddenly making network calls or adding a post-install script. Focus this high-fidelity analysis on your "Crown Jewels" first.

Pillar 3: Unify incident response

A unified, well-practiced response plan separates a manageable event from a crisis.

  • Develop a joint playbook: Work with engineering to create a step-by-step playbook for a supply chain compromise that clearly defines roles, communication channels, and technical procedures.
  • Run joint tabletop exercises: A playbook is useless if not practiced. Regularly run exercises with security and engineering stakeholders to build muscle memory and expose faulty assumptions before a real crisis hits.
  • Weaponize the SBOM: In a real incident, the SBOM becomes your most critical response tool. It provides the definitive map for understanding the blast radius, enabling rapid containment and remediation.

The future of a secure supply chain is collaborative

The Shai-Hulud worm was a wake-up call. It proved that our greatest vulnerability isn't a missing patch but the organizational gap between the security teams who write policy and the engineering teams who build products.

The path forward isn't building taller walls around development, but stronger bridges with them. For CISOs, this is a fundamental shift from a technical challenge to a cultural one. 

Securing the modern enterprise means fostering a partnership with engineering built on a shared language, secure-by-default tooling, and unified response plans. Our resilience will be measured by how well these two teams work together under pressure.

Related posts

Learn more about the latest issues in cybersecurity.
Cybersecurity

Risk Automations: The Shift From Catch-Up to Command

Connect intelligence to system execution with Risk Automations, your new resolution layer for risk. Reduce remediation from hours to seconds - read more.
Revashni Moodley
Revashni Moodley
December 1, 2025
Cybersecurity

UpGuard’s Updated Cyber Risk Ratings

Discover UpGuard's updates to its cyber risk ratings, including enhanced risk categorization and an improved scoring algorithm.
Nicholas Sollitto
Nicholas Sollitto
July 2, 2025
Cybersecurity

Introducing UpGuard's New SIG Lite Questionnaire

Streamline your data collection and vendor risk assessments with UpGuard’s SIG Lite risk-mapped questionnaire.
Caitlin Postal
Caitlin Postal
June 26, 2025
Attack Surface Management

Typosquatting Explained with Real-World Examples

Learn more about typosquatting, what it is, how it works, and how to protect your business. Explore legal strategies, tools, and real-world examples here.
Abi Tyas Tunggal
Abi Tyas Tunggal
December 1, 2025
Cybersecurity

Why is Cybersecurity Important?

If your business isn't concerned about cybersecurity, it's only a matter of time before you're an attack victim. Learn why cybersecurity is important.
Abi Tyas Tunggal
Abi Tyas Tunggal
December 1, 2025
Attack Surface Management

What are Security Ratings? Cybersecurity Risk Scoring Explained

This is a complete guide to security ratings and common use cases. Learn why security and risk management teams have adopted security ratings in this post.
Abi Tyas Tunggal
Abi Tyas Tunggal
December 1, 2025
All posts