Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

From customer-facing applications to internal systems, your businesses run on code. As CISOs, you may know that this reliance comes with a growing, complex challenge: securing the Software Development Lifecycle (SDLC) from end to end, especially against the insidious threat of software supply chain attacks.

AJ Debole is Field CISO at Oracle, but her journey began far from the corporate boardroom. After starting out in law and government, she moved into healthcare and cyber defense, where she led teams through ransomware crises. In this spotlight, she explores the next wave of challenges – aligning security with business incentives, taming AI sprawl, and securing the APIs that connect it all.

UK security leaders are making their voices heard. Four in five want DeepSeek under regulation. They see a tool that promises efficiency but risks chaos. Business is already under pressure. Trade disputes drag on. Interest rates remain high. Cyber threats grow. Every move to expand operations adds risk, and risk is harder to measure when AI enters the equation. AI spreads fast. It cuts costs, fills gaps, and automates mundane tasks. But it also opens hidden doors. In the UK, AI is now part of daily work.

The Shai-Hulud worm wasn't just a sophisticated supply chain attack; its most important lesson was about a crisis of communication. The attack thrived in the organizational gap between security policy and the daily realities of software development, a gap that exists in most companies. Defending against the next software supply chain attack requires more than a new tool; it demands a strategic shift from imposing controls to forging a genuine partnership with engineering.

A customer opens their bank’s login page. At least, that’s what they think. The design is flawless, the fields are familiar. But it’s a cloned site built to harvest credentials. Within seconds, their details are replayed against the genuine portal. To the bank’s defenses, it looks like business as usual – same username, same password, same MFA prompt. This is the reality of credential harvesting, one of the most common precursors to account takeover.

A trend that has long been on the rise is finally having its day. A recent industry report revealed that 91% of security professionals believe that ultimate accountability for cybersecurity incidents lies with the board itself, not with CISOs or security managers. If the security discussion hadn’t fully made its way into C-suite conversations before, it has now.

In today’s climate, where every company is a technology company, there is a simple truth many still overlook: CIOs and CISOs can no longer afford to see themselves primarily as technologists or risk gatekeepers. The mandate is clear: They must be business leaders first, using technology and cybersecurity expertise as powerful tools to drive growth, trust, and competitive advantage.