Select Page
Our Supply Chain Panelists Answer Your Questions

Our Supply Chain Panelists Answer Your Questions

CISO Interviews, Featured

Alan Levine, CISO at Alcoa (retired) and Advisor, Jason Lewkowicz, Global CISO, for Cognizant, Matthew Butkovic, Heinz College of Information Systems and Public Policy at Carnegie Mellon University, and Eris Symms, CISO for Arconic Corporation collaborated to answer viewer questions from our latest webinar, “The Race to Secure Your Supply Chain”. While most questions were addressed during the webinar, moderator Alan Levine subsequently provided additional insight. If you missed this webinar or would like to watch it again, you can view it below.

What we have done so far: (1) Revamped our third-party security questionnaire with more focus on our supplier’s third-party assessment process (2) asked specific question about who are our 4th parties to build that inventory (3) reviewed open source components that go into our products to ensure we are doing static and dynamic code analysis and (4) embedding requirements into standard DPA, agreements etc. What else should we be doing?

Your question is complicated because you've included product security which, unfortunately, I can't speak to. You appear to be doing the right things.

One area that my team (Third Party risk management) is often asked for is to reach out to all of our suppliers and ask them about their plans to deal with a supply-chain attack (which are increasing in number). This is close to impossible given the hundreds of thousands of active suppliers we have on file. How do you deal with this mess?

A questionnaire approach is really all you can do. With myriad suppliers, you really can't get too high confidence.

Would moving towards a zero trust model and requiring supply chain participants be ZT complaint reduce the threat to an acceptable level?

That would be great for the customer, but we couldn't very well require this of all suppliers.

Tools like CyberGRX and OneTrust exchange claim to have a pill to solve this problem of detecting problems early on but I am skeptical.

Everyone has a magic pill.

Legal contracts limit our ability to review, audit or assess our 4th, 5th parties and so on. What is the solution? Thoughts?

What the US government calls 'flow-down.'

Without a specific framework, what will be the basis for assessing their level of compliance to best practices or capabilities? How to ascertain basic hygiene?

You will probably not get more than an attestation, maybe a right to audit. The very point is that you can't even be sure of supplier basic hygiene.

How important would you consider threat intelligence when considering the ability to quickly response to identified supply chain issues and follow vendor recommendations such as shutting down services?

Valuable, if the intelligence is current, clear, targeted, and actionable. We all need to be very nimble supply chain participants.

How do you force your supply chain providers to keep a good cyber security posture?

Unfortunately, you really can't.

What would your group consider some proactive safeguards to supply chain attacks? Is staying a revision behind on software (assuming it does not contain vulnerabilities) a reasonable response?

I don't think we ever want to be a version behind -- although a second dot release is ok. Start the conversation with your key suppliers and offer help if you can. They may return the favor.

If you enjoyed this webinar, be sure to visit Second Thursdays for other great cybersecurity webinars.


Stagehand: S1 Episode 8

Stagehand: S1 Episode 8

Carl Timmons was given 24 hours to decide what he wanted to do. This was a tactic. Twenty four hours to sit alone and think about all the money he could want and the price he’d pay for it. And 24 hours to also contemplate what Andre Savin might do to him before he...

Stagehand: S1 Episode 7

Stagehand: S1 Episode 7

Andre Savin and Lincoln Palmer had met on several occasions and had the type of relationship you’d expect between two men of their standings on the billionaire scale. Contemptuous but also understanding. They were both driven by the same desire—access to...

Stagehand: S1 Episode 6

Stagehand: S1 Episode 6

Belfast, New York - 1889 They called him The Boston Strong Boy—arguably the first real boxing star and one of the highest paid athletes of his time.  He’d always been good at school. He attended Boston College where his parents thought he might pursue a life in the...

What Is Zero Trust Anyway?

What Is Zero Trust Anyway?

About three minutes into planning this post, I had one of those “god, I am old” moments. Here is why I had the moment. I have worked in cybersecurity since 1994. My first job was at a big 3 working for the U.S. government through one of the world’s...

Stagehand: S1 Episode 5

Stagehand: S1 Episode 5

Kuwait, 1990 I’m launched out of a submarine a few miles off the coast of Kuwait City. When I swim to shore, I quickly change into my dry land clothes—a full burka. I was a six-foot-one Marine posing as a good Muslim woman. The catch, beneath the modest...

Our Sponsors

Share This