Lessons for IT leaders on supply chain security and culture

‘Assess the cyber health of potential vendors before bringing them into you supply chain.’

Recent events have shown the immense impact that cyberattacks can have on business continuity and the wider economy in addition to data loss and compromise. Cijo Joseph of Mitie shared some practical insights on cyber resilience at the IT Leaders Summit.

Cijo Joseph, Chief Technology & Digital Officer at Mitie, seasoned security expert and one of Computing’s Top 100 IT Leaders, has a long track record in enterprise IT.

When asked his thoughts on the spate of high-profile attacks which have hit so many household names of late, many of which stem from compromised partners, such as CRM or SaaS providers and highlight the vulnerability of supply chains, Joseph’s advice for the ITLS audience was clear: treat cybersecurity due diligence like financial due diligence.

“Just as you run financial checks on suppliers, cyber checks should be mandatory,” he said. “There are mature tools—like Security Scorecard—that help you assess the cyber health of potential vendors before bringing them into your supply chain.”

Computing research presented earlier in the day, showed that in the UK, around 9% of overall IT budget is spent on security, but Joseph cautioned against rigid benchmarks. “

There’s no one-size-fits-all number,” he explained. “Cyber is not a technology risk, it’s a business risk. Once you accept that then it’s a reputational damage risk, a financial risk. When you work it through then you should be able to arrive at a number.”

In other words, once leadership sees cybersecurity as intrinsic to protecting business value, the right investment decisions should follow naturally.

AI phishing

The rise of AI has transformed the cyber landscape—for both defenders and attackers. Generative AI now allows malicious actors to launch highly realistic phishing attacks, mimic executive voices or faces, and automate attacks.

Joseph shared a real-world example: after acquiring a company in Spain, a new managing director received a WhatsApp message from someone posing as the group CEO, complete with a deepfaked photo. The scam was only caught due to internal awareness and prompt escalation.

Interestingly, Joseph’s advice echoed that given in a recent Computing webinar on deepfake phishing by Flick March of Accenture which can be summarised as ‘slow down and introduce multi-step verification for financial transactions.’

“The tools attackers use are advancing rapidly,” he warned. “But so are the tools we have to defend. It’s a constant race. Ultimately, it comes down to education within your workforce and cyber culture.”

Before launching any enterprise-wide AI initiatives, Joseph stressed the need to establish an AI ethics and governance framework. His team did this in early 2024, working closely with partners like Microsoft and Salesforce.

Crucially, he recommends not putting IT in charge of such a process. “It should be chaired by your Chief Legal or Risk Officer,” he said. “That brings credibility and cross-functional buy-in.”

The goal is to balance innovation with responsible deployment, especially in high-risk areas like HR, finance, and customer data.

Cyber playbooks

The ideal is that cybersecurity is a behaviour embedded across the organisation. Joseph’s team runs monthly phishing simulations for all staff, including board members. Those who fail are retrained immediately. Over time, this has brought failure rates down from over 20% to around 3%.

Other best practices include creating cyber playbooks aligned with NCSC guidelines and conducting regular tabletop exercises for incident response

“Security awareness should be like fire safety,” Joseph said. “It must be habitual, not reactive.”

Gone are the days when penetration testing happened just before deployment.
“We’ve embedded security reviews at every stage,” Joseph explained. “We also assign ownership: the CSO sets policy, architects enforce design standards, and the CI/CD teams implement it.”

This shift has significantly improved their cyber posture and contributed to better third-party ratings.

Joseph closed with a simple but powerful point, and one that is echoed by many campaigners for improved cybersecurity and safety. Businesses should make cybersecurity personal.

“Cyber safety is like health and safety. If you protect yourself at home and you get that culture change, the business will benefit from that too.”