Sometimes a party gets too big, and it’s tough to figure out where everybody came from, especially that dude who showed up with your friend and still hasn’t taken his shoes off.

Companies, too, have their own gathering of suppliers, vendors, and partners. And some will spill (metaphorical) salsa all over your (proverbial) couch.

A report from the risk-management firm Cyentia Institute and cybersecurity rating company SecurityScorecard found that 98% of surveyed organizations have relationships with at least one vendor who suffered a breach in the last two years.

The 230,000-plus organizations had an average of about 10 third-party partners. The information services sector had the highest number of connections: 25.

When there’s too much third-partying, some risk-specific steps can help organizations make a giant contractor web feel smaller and easier to manage. One helpful measure: defining business priorities, which have a way of revealing “must avoid” outcomes.

“Growth targets, new markets that you’re entering, new products that you’re launching, your corporate objectives, goals, initiatives, and projects. The mirror of those is all the things that can’t go wrong,” said Chris Matlock, VP, advisor, and research leader for risk and corporate strategy at the market-intelligence firm Gartner.

Suh-wiiiing, batttah! A recent Gartner survey found that 84% of 100 executive risk-committee respondents said that third-party risk “misses” resulted in operational disruptions.

Some recent contractor whiffs led to unexpected downtime in the airline industry, affecting the FAA and Lufthansa.

Companies have experienced so many third-party risk events that the concerns have reached the board level, said John Wheeler, senior advisor at the risk-management platform AuditBoard.

Read more here.—BH

Do you work in IT or have information about your IT department you want to share? Email [email protected].

The center of gravity in the IT job market is shifting east. Washington, DC, and New York City now have more available tech jobs than Silicon Valley.

According to reporting from the Wall Street Journal, the San Francisco metro area showed 2,369 software-engineering job postings and the Silicon Valley area had 2,084 at the end of 2022. By contrast, DC had 3,815 and the New York metro area had 3,325.

“The balance has been shifting to the East Coast for some time,” David Lewis, CEO of Norwalk, Connecticut-based OperationsInc, told IT Brew in a recent interview, adding, “If you’re paying attention to the signs on the outside of the buildings, and the brands that are there, you’ve known that there’s been a big move towards tech.”

Those East Coast gigs aren’t all with large IT firms, but span a number of industries—reflecting how tech has become an integral part of nearly every business’s operations. It’s not just DC and New York City, either—Fred Voccola, CEO of software company Kaseya, is based in Miami, and isn’t going anywhere anytime soon. Kaseya moved from Boston to Miami after the Florida municipality offered tax incentives for hiring through its Miami-Dade Relocation and Expansion Incentives Program.

“You couldn’t pay me to go back to the Valley,” Voccola told IT Brew.

Opportunity knocks. Big firm layoffs are presenting companies based on the East Coast with new opportunities. Ximena Gates, co-founder and president of DC-based BuildWithin, told IT Brew that the glut of East Coast jobs is attracting a pool of prospective employees who don’t have a ton of options in California.

“We have all taken advantage of layoffs in Silicon Valley and other places to hire more people,” Gates said.

Keep reading here.—EH

Do you work in IT or have information about your IT department you want to share? Email [email protected].

Making good on its promise from May 2022, code repository GitHub is beginning to require developers who contribute code to the site to enable two-factor authentication (2FA) on their accounts.

The policy, which officially went into effect on March 13 this year, will begin with “smaller groups” and subsequently expand to encompass the entire GitHub developer community by the end of the year. GitHub will inform those whose accounts are selected that they have 45 days to set up 2FA, after which any attempts to log in will trigger the requirement.

Fortunately, GitHub appears to have gone out of its way to make the onboarding process as easy as possible for developers—which is important, given that user experience and complexity are some of the biggest hindrances to widespread 2FA adoption, according to Yubico research.

GitHub is allowing users to have both an authenticator app providing a time-based one-time password (TOTP) and an SMS number registered to their accounts. The repository will also now allow users locked out of their accounts to unlink email addresses from 2FA-enabled accounts, making it easier for those locked out to start another account using the same email.

Twenty-eight days after enabling 2FA, according to GitHub, users will also be asked to perform a checkup that ensures their authentication method is working properly.

GitHub is one of the primary hubs for the open-source community, and the new 2FA requirements are coming into play alongside widespread concerns about the state of software supply-chain security and potential exploitation of flaws and vulnerabilities in ubiquitous open-source software that developers might not even realize is part of their technology stack.

A recent Synopsys report on audited code bases, for example, found that 84% contained at least one open-source vulnerability, and 48% had at least one classified as severe.—TM

Today’s top IT reads.

Stat: 20%. That’s the percentage of assets that are invisible to an IT team, according to a recent report. Many of the “shadow IT” devices are employees’ personal ones. (TechRepublic)

Quote: “It was almost comical. [The hackers] had what appeared to be a customer service department, asking if we’d had a good service experience.”—Andrew Ferguson, owner of Calgary’s Kensington Wine Market, reflecting on the time his store was hit by ransomware (Financial Post)

Read: As Capitol Hill debates a TikTok ban, entrepreneurs in China are still hopeful they can bring their tech products to the US. (Rest of World)

End to endpoint: Don’t let security lapses leave you vulnerable. With CIS Endpoint Security Services (ESS), you have the tools to identify, detect, respond to, and remediate endpoint issues in real time. Get started here.*

^{*This is sponsored advertising content.}