← Back to Blogs

The new compliance clock: Why CISOs must treat SBOMs as business maps, not regulatory homework

Ami Hofman · January 7, 2026

“When something breaks, can you tell me what was affected, who owns it and how much it’s costing us per day?”

That’s the question more boards are now asking and fewer CISOs can confidently answer.

In 2025, that’s no longer just a visibility issue. It’s a regulatory one.

Across the United States, Europe and Australia, the wave of new legislation, from the EU Cyber Resilience Act to CISA’s 2025 SBOM guidance and Australia’s SOCI reforms, is making it clear: If you can’t map software components to services, ownership and business impact, you can’t claim compliance.

What started as a supply chain hygiene exercise has evolved into a board-level accountability test. The clock is ticking.

The Regulatory Tsunami

The past two years have reshaped the compliance landscape more than any period since GDPR. SBOMs (Software Bills of Materials) and CBOMs (Cryptographic Bills of Materials) once niche developer artefacts, have become central to cybersecurity governance.

Let’s recap the turning points:

  • EU Cyber Resilience Act (CRA) — effective December 2027, with fines up to €15 million or 2.5% of global revenue. It mandates SBOMs for every digital product sold in Europe.
  • U.S. Army SBOM Directive — enforced from February 2025, requiring SBOMs for all new software contracts, not just critical systems.
  • CISA’s 2025 update — expands SBOM requirements to include lifecycle context, cryptographic hashes and generation provenance.
  • Australia’s Security of Critical Infrastructure (SOCI) Act — now gives regulators power to compel updates to risk management programs showing “serious deficiencies” in cyber maturity.

This isn’t theory. It’s a compliance countdown that redefines what it means to run a secure, transparent business.

“For the first time, software transparency has become a legal requirement, not a best practice.”

Yet, many organisations still treat SBOMs as an annual report, static, incomplete and detached from business operations.

That mindset will not survive much longer, specifically given the nature of modern cyber security attacks.

The Accountability Gap: When You Can’t Map Services to Assets

Every major breach over the last 12 months exposed the same structural flaw, the inability to connect assets to business services in real time.

Take Change Healthcare. A ransomware attack crippled one of the largest healthcare payment networks in the U.S., impacting 190 million individuals and over $1 billion in revenue losses. It wasn’t just the ransomware that hurt, it was the absence of an accurate asset-to-service map.

No one could answer basic questions:

  • Which billing services depended on the compromised authentication system?
  • Which databases held patient data?
  • Who owned those systems?

Nine months later, billing operations were only partially restored.

Similarly, during the Snowflake multi-customer breach, more than 160 enterprises were impacted, from AT&T to Santander. The attack wasn’t even a platform vulnerability; it was poor visibility. Many customers couldn’t tell which Snowflake instances held sensitive data, which accounts were still active, or where third-party access was configured.

In the near-miss XZ Utils backdoor incident, global organisations scrambled to assess whether they were exposed but most had no SBOMs that traced transitive dependencies. They were left guessing.

“In every case, the inability to connect assets, software components and business context turned a security incident into a business crisis.”

The result? Delayed response, prolonged downtime, regulatory investigations and boards left in the dark.

SBOMs and CBOMs: The New Language of Assurance

SBOMs are not about code transparency anymore. They are about organisational accountability, the connective tissue between your technology stack and your revenue streams.

  • SBOMs tell you what you’re running, every library, dependency and component.
  • CBOMs tell you how it’s secured, every cryptographic method and authentication dependency.
  • Together, they tell you what’s at risk when something breaks.

A modern SBOM linked to service context can answer:

  • Which business service uses this vulnerable component?
  • Who owns it?
  • How critical is it to operations?
  • What’s the financial exposure if it fails?

Without that, CISOs can’t provide boards with the answers they now demand.

The CISO’s New Compliance Burden (and Opportunity)

Regulators are no longer content with “we’re investigating.” They expect demonstrable traceability, the ability to show, within hours, which systems are affected, how data flows and what remediation is underway.

In the EU Cyber Resilience Act, manufacturers must keep component inventories for 10 years and update them with every software modification. In the U.S., CISA’s 2025 guidance mandates a “generation context” whether an SBOM was created pre-build, during build, or post-build, recognising that accuracy changes across the software lifecycle. Back home, under Australia’s SOCI reforms, the Critical Infrastructure Security Centre can now compel entities to vary their risk programs if deficiencies threaten national security.

For CISOs, this translates to a fundamental shift:

“The regulator doesn’t just want proof of a control. They want proof that you know what you’re protecting, who owns it and how it impacts the business.”

This is where the traditional asset inventory model collapses. Static inventories are snapshots. Modern threats move in video.

From Compliance Artefact to Business Map

Leading organisations are already making the leap.

Instead of treating SBOMs as compliance artefacts, they’re embedding them into continuous threat and exposure management programs:

  • Automatically generating SBOMs at build-time in CI/CD pipelines.
  • Linking them to Configuration Management Databases (CMDBs) and ITSM platforms to maintain live service context.
  • Using CBOMs to map cryptographic dependencies and assess quantum-readiness.
  • Integrating SBOM feeds with SOC workflows to prioritise response based on business impact.

This transforms compliance into operational intelligence.

A simple example: When a new zero-day vulnerability emerges say, a critical flaw in OpenSSL, a mature SBOM ecosystem can immediately show:

“This library is used in three customer-facing services worth $75M in annual revenue. The patch is available. Ownership: Application Security Team B.”

That’s clarity. That’s leadership. That’s how a CISO earns trust at the board table.

The Risk of Standing Still

The cost of doing nothing is no longer hypothetical.

Last year alone:

  • 75% of organisations experienced a supply chain attack.
  • The average breach cost rose to US$4.88 million.
  • 40% of security leaders admitted they couldn’t trace a vulnerability to the exact business service it affected.

The hidden cost is credibility. When executives can’t give the board a precise answer in the first 24 hours of a breach, confidence erodes quickly. It’s not that the board expects perfection. They expect precision.

“The inability to articulate exposure is now as damaging as the breach itself.”

The 2025 Imperative: Real-Time Business Context

The future belongs to organisations that can move from compliance-driven visibility to context-driven resilience.

The question is no longer:

“Do we have an SBOM?” It’s: “Can we use it to explain our risk in business terms, right now?”

By 2027, SBOMs will be as routine as financial statements. But the organisations that thrive will be those that use them to align cybersecurity with enterprise performance, creating a living map that connects software components to services, owners and outcomes.

That’s not just compliance. That’s command of your digital business.

Practical Ways to Build and Maintain an SBOM

For those wondering what a functional SBOM actually looks like, it’s not a spreadsheet or static PDF. It’s a structured, machine-readable document (usually JSON or XML) built using standards like SPDX or CycloneDX. Both formats capture essential metadata about every component, its version, supplier, licence, dependency relationships and cryptographic fingerprints.

An SPDX entry might look like this:

Article content

And a CycloneDX SBOM for the same component might appear as:

Article content

SPDX is preferred where licence compliance and provenance matter (for example, in healthcare or defence contracts). CycloneDX, built by OWASP, is the format of choice for security automation, it links seamlessly with VEX data to identify which vulnerabilities are actually exploitable.

In practice, maintaining an SBOM doesn’t need to be painful. Modern CI/CD pipelines can generate and sign SBOMs automatically at build time:

Article content

This approach ensures every build artefact has a verified, timestamped inventory of what it contains the “gold standard” that regulators such as CISA and the EU CRA expect. When integrated with your configuration database or exposure-management platform, these SBOMs become living artefacts, continuously updated, cryptographically signed and ready to answer the board’s hardest question: “What’s in our software and what’s at risk?”

Final Thought: The Cartographers of Digital Risk

The role of the CISO is evolving, from technologist to cartographer. Your map isn’t just the network. It’s the relationship between code, service and consequence.

SBOMs and CBOMs aren’t bureaucratic paperwork they’re your compass in an increasingly regulated and volatile world.

Regulators, shareholders and customers tighten their expectations, the organisations that can translate what broke into what it means for the business will define the next era of cyber leadership.

“SBOMs are no longer about what’s in your software. They’re about knowing what’s at stake when something breaks.”