That I think that your supply chain will become one of your key risks is not new. Typically, however, I raise it in the context of a bad guy being able to inject into the supply chain – say the products you buy – and therefore you already install the attack kit.
I just read a study, which addresses it from another angle: You all get accessed by third parties for support and other reasons (the study claims, that on average 89 vendors access a company’s network every week). How secure are you that the network of your vendor is secured well enough that you do not open any doors to attacker because the attacker might sit on the vendor’s network? Interesting question – you will do monitoring etc. but how well do you secure your network at these access points? Do you have constant access to your network by a provider?
A lot of interesting questions. Have a look at the data points in this study: Vendor Vulnerability: How to prevent the security risks of third-party suppliers. You need to give them your data to access the study.
One point where I disagree: They say at the end that privilege access management will solve the problem. That does not catch the whole problem in my opinion and I am always skeptical when somebody says that there is a complex problem and there is one single solution to it. This will be way more complex and a set of approaches to take.