Select Page
Our Supply Chain Panelists Answer Your Questions

Our Supply Chain Panelists Answer Your Questions

CISO Interviews, Featured

Alan Levine, CISO at Alcoa (retired) and Advisor, Jason Lewkowicz, Global CISO, for Cognizant, Matthew Butkovic, Heinz College of Information Systems and Public Policy at Carnegie Mellon University, and Eris Symms, CISO for Arconic Corporation collaborated to answer viewer questions from our latest webinar, “The Race to Secure Your Supply Chain”. While most questions were addressed during the webinar, moderator Alan Levine subsequently provided additional insight. If you missed this webinar or would like to watch it again, you can view it below.

What we have done so far: (1) Revamped our third-party security questionnaire with more focus on our supplier’s third-party assessment process (2) asked specific question about who are our 4th parties to build that inventory (3) reviewed open source components that go into our products to ensure we are doing static and dynamic code analysis and (4) embedding requirements into standard DPA, agreements etc. What else should we be doing?

Your question is complicated because you've included product security which, unfortunately, I can't speak to. You appear to be doing the right things.

One area that my team (Third Party risk management) is often asked for is to reach out to all of our suppliers and ask them about their plans to deal with a supply-chain attack (which are increasing in number). This is close to impossible given the hundreds of thousands of active suppliers we have on file. How do you deal with this mess?

A questionnaire approach is really all you can do. With myriad suppliers, you really can't get too high confidence.

Would moving towards a zero trust model and requiring supply chain participants be ZT complaint reduce the threat to an acceptable level?

That would be great for the customer, but we couldn't very well require this of all suppliers.

Tools like CyberGRX and OneTrust exchange claim to have a pill to solve this problem of detecting problems early on but I am skeptical.

Everyone has a magic pill.

Legal contracts limit our ability to review, audit or assess our 4th, 5th parties and so on. What is the solution? Thoughts?

What the US government calls 'flow-down.'

Without a specific framework, what will be the basis for assessing their level of compliance to best practices or capabilities? How to ascertain basic hygiene?

You will probably not get more than an attestation, maybe a right to audit. The very point is that you can't even be sure of supplier basic hygiene.

How important would you consider threat intelligence when considering the ability to quickly response to identified supply chain issues and follow vendor recommendations such as shutting down services?

Valuable, if the intelligence is current, clear, targeted, and actionable. We all need to be very nimble supply chain participants.

How do you force your supply chain providers to keep a good cyber security posture?

Unfortunately, you really can't.

What would your group consider some proactive safeguards to supply chain attacks? Is staying a revision behind on software (assuming it does not contain vulnerabilities) a reasonable response?

I don't think we ever want to be a version behind -- although a second dot release is ok. Start the conversation with your key suppliers and offer help if you can. They may return the favor.

If you enjoyed this webinar, be sure to visit Second Thursdays for other great cybersecurity webinars.


Selling to a CISO? Practice Empathy, Not Salesmanship

Selling to a CISO? Practice Empathy, Not Salesmanship

The cyber security marketplace is hot. Ask any candidate for a cybersecurity role. Better yet, ask any supplier to CISOs. The supplier audience is especially vast, and it’s continuing to grow. Just three years ago, there were estimated to be less than 2,000...

The Risk of Measuring Risk

The Risk of Measuring Risk

Automated measuring of control effectiveness is a very good idea conceptually. When you can combine control gaps with relevant threat information, you get a very good picture about the actual technical cyber risks your business faces. If done correctly, it provides...

Stagehand: Episode 4

Stagehand: Episode 4

Keith and I left the scene like we found it: the two kidnappers dead on the floor, their shotgun up against the wall, and the rope used to tie up Carl Timmons sprawled out on the floor. We tipped off local law enforcement and were gone before they arrived, leaving no...

SecOps Needs More Democratization, Not Less SOC

SecOps Needs More Democratization, Not Less SOC

An increasing complexity of technologies, as well as an increasing number of failures and attacks followed by an increasing dependency on business goals is changing the way we run Security Operations Centers. I previously discussed the concept of a Fusion Center as an...

Measuring a Cyber Awareness Culture

Measuring a Cyber Awareness Culture

Until recently, cyber awareness metrics have been treated by many as a tick-box exercise driven by regulations. The regulator requires x number of hours of cyber awareness training per employee per year, and once that is done, the organisation ticks a box and waits...

Mitre Disrupting Advanced Persistent Threats
Share This