Getting Real with the Supply Chain: From SBOM Data to Action
Session Abstract
500,000 SBOMs – that’s the scale of Deutsche Bahn’s software supply chain. How do we make sense of this as a small OSPO in a large non-IT organization? Our strategy: turn this data into actionable tasks. We’ll share practical learnings on prioritizing risks, applying sensible automated compliance, and considering ecosystem sustainability.
Session Description
The more insight we gain into our software supply chains, the more we face the challenge of acting on it. OSPOs must turn vast data into focused, meaningful decisions. This talk shares a risk-based framework we apply at Deutsche Bahn, designed to be broadly adoptable. It helps prioritize what truly matters: balancing compliance, governance, and sustainability.
We’ll discuss how we:
* manage regulatory obligations like CRA and NIS2 without overburdening teams
* set internal rules and automation that keep compliance practical
* identify real risks instead of chasing theoretical ones
* facilitate open source culture across the organization to understand and participate in communities
* include ecosystem health in our decisions
As a small virtual OSPO in a large non-IT company, we focus on pragmatic, incremental steps rather than perfect coverage. The session offers hands-on insights for anyone trying to make sense of large-scale SBOM data and turn transparency into responsible action.
