Every year in cybersecurity brings faster detection, smarter AI, and new tools promising to stay ahead of attackers. Yet 2025 delivered a sobering reminder – no amount of innovation can compensate for neglecting the basics. Even the most elite organizations, the U.S. Department of Defense and Israel’s elite Unit 8200, stumbled, not because of unknown exploits or state-sponsored attacks, but because foundational practices were overlooked. The future of cybersecurity will belong not to those chasing the next breakthrough, but to those who master the fundamentals that hold everything else together. Supply chain oversight, vendor governance, and proximity management may not make headlines, but they are the invisible scaffolding of cyber resilience. As we approach 2026, these basics are no longer optional; they are mission-critical. 

2025 Wake-Up Calls 

In July 2025, reports revealed that Microsoft had relied on China-based contractors, so-called “digital escorts”, to help manage DoD cloud workloads. Two months later, Microsoft restricted Unit 8200’s Azure access following concerns about how Israeli operators used cloud resources. 

These were not zero-days or cloud misconfigurations buried deep in code. They were governance failures, proof that vendor relationships, contractor access, and platform dependencies remain fertile ground for compromise. The fact that two respected and battle-tested organizations were caught off guard underscores how easily “known” risks can turn into existential ones. 

Supply chain and proximity risks share three defining traits. First, they are active and not theoretical. Every modern enterprise already depends on external vendors, cloud providers, and on-site connected devices. Second, they are cross-domain, bridging cybersecurity, physical security, and privacy in ways that demand collaboration between CISOs and CSOs. And third, they are persistent and expanding. The more organizations digitize, the more their vendor and proximity footprints grow, and so does the attack surface. 

Because these surfaces are both cross-functional and continuous, they cannot be governed by checkbox compliance or quarterly audits, but require daily shared accountability. 

Why the Consistent Failure? 

Even though most security practitioners understand that supply chain and proximity are weak spots, they still too often overlook them. Why? The reason is that these risks often fall between the cracks of responsibility. Procurement manages the contracts, CISOs oversee digital risk, and CSOs handle physical environments, but no one owns the full picture, causing accountability to blur and control gaps to open, enabling the perfect conditions for compromise. 

They also defy neat categorization. Both supply chain and proximity threats span technology, people, and place, making them difficult to contain with any single safeguard. A contract or ISO certification can’t stop a careless employee, an insider with access, or an on-site technician plugging in a compromised device.  

This gap isn’t just structural, it’s cultural. I recently met with the CISO of a major global hotel chain. After walking him through proximity-related vulnerabilities, from rogue access points to compromised maintenance devices, he said he wasn’t going to deal with it immediately because he was focused on other projects and what he considered “sufficient threats.” That mindset reflects a broader industry problem, a lack of understanding of the business implications of proximity risks and their direct connection to operations, reputation, and even guest safety. 

Building a Real Fundamentals Program 

For years, proximity risk – the threat created by nearby wireless signals, devices, and human presence – was an overlooked blind spot. In 2025, the emergence of Proximity Attack Surface Management (PASM) marked the formal recognition of a discipline dedicated to discovering, assessing, and mitigating risks at the physical-digital intersection. 

PASM complements supply chain security: One looks outward to vendors and partners, the other inward to the organization’s own environment. Together, they establish the foundation of a modern fundamentals program, returning to the basics, executed with precision and accountability. In that sense, PASM is more than a toolset. It represents a model or blueprint for how organizations should manage their foundational attack surfaces. PASM manages the proximity surface and supply chain governance frameworks manage the vendor surface. Together, they define the operational foundation of modern cyber resilience. 

Turning that vision into reality requires coordination across people, processes, and technology. CISOs, CSOs, procurement leaders, and legal teams must have clearly defined responsibilities and shared accountability. Vendor-security liaisons and on-site verification roles can bridge the gap between contracts and operations, while regular training helps facilities staff, contractors, and operations teams understand how their daily actions shape digital risk. 

Process maturity builds on that structure. Organizations need to evolve from periodic audits to continuous vendor assurance, leveraging telemetry, configuration validation, and targeted spot checks. Incident response and crisis management playbooks should explicitly address supply chain and proximity scenarios, with defined escalation paths. Tabletop exercises must involve suppliers, facilities, and executives, ensuring that everyone from the boardroom to the loading dock understands their role in containment and recovery. 

Technology completes the loop. Attestation tools track vendor access, code provenance, and privileged actions. PASM sensors detect rogue radios or anomalous wireless behavior. Zero-trust principles, particularly around vendor and device access, enforce just-in-time privileges and minimize exposure. 

Enterprises must adopt management platforms for these fundamental domains, supply chain and proximity, and treat them as continuous, operational disciplines, not as optional security add-ons.  

Identifying and Prioritizing Your Fundamentals in 2026 

Every organization should start by mapping its foundational attack surfaces, including supply chain, proximity, third-party integrations, OT and ICS connections, identity systems, and data egress points. Once mapped, they must be ranked by impact and likelihood to identify which are mission-critical and which are secondary. Ownership should be jointly assigned to the CISO and CSO, with executive support and adequate funding. Above all, continuous verification must replace static assessments. Snapshots and checklists cannot protect a living ecosystem of vendors, devices and people. 

Innovation matters, but without strong fundamentals, every new control sits atop a shaky foundation. Supply chain and proximity are not peripheral; they are the base layer on which resilience is built. If the DoD and 8200, organizations with unparalleled cyber expertise, can falter on these fronts, no enterprise is immune. With 2026 around the corner, leaders should be asking: Are our fundamentals continuously managed end-to-end? If the answer is anything short of an unqualified “yes,” the time to act is now.