Software supply chain attacks have changed how CISOs think about risk. A single compromised library, build system, or vendor can expose thousands of organizations at once. After SolarWinds and similar incidents, security leaders began pushing for deeper reforms that start inside the development pipeline, not at the firewall.
The CISOs below stand out for driving real change. They focus on SBOM adoption, secure build pipelines, dependency visibility, and vendor accountability. Their work reflects a shift from trust by default to verification at every stage of software creation and delivery.
Jason Lau
Chief Information Security Officer, Crypto.com
Jason Lau has focused on reducing supply chain exposure tied to open source libraries and external code dependencies. His approach centers on real time monitoring of third party components, stricter vendor governance, and tighter controls over how software is introduced into production environments.
Profile: https://www.linkedin.com/in/jasonciso/?originalSubdomain=sg
Michael Hanley
Chief Information Security Officer, General Motors
Michael Hanley has driven reforms aimed at protecting developer ecosystems and open source consumption. His work includes dependency hygiene, code signing, and reducing risk from indirect suppliers. This is especially critical for platforms that serve as foundational infrastructure for other applications.
Profile: https://www.linkedin.com/in/michaelphanley/
Ram Shankar
Chief Information Security Officer, Fidelity Investments
Ram Shankar connects software supply chain security with zero trust principles. His work emphasizes continuous verification of software components, secure cloud native development, and stronger oversight of third party integrations that feed into customer facing platforms.
Profile: https://www.linkedin.com/in/ram-shankar/
Why CISOs are rewriting the rules
Software supply chain risk is no longer a niche issue. It is a systemic threat that affects entire industries at once. These CISOs are moving security upstream, embedding controls into how software is built, tested, and delivered.
For modern security leaders, supply chain reform is not optional. It is a core part of enterprise risk management, regulatory readiness, and long term trust.