Alan Levine, CISO at Alcoa (retired) and Advisor, Jason Lewkowicz, Global CISO, for Cognizant, Matthew Butkovic, Heinz College of Information Systems and Public Policy at Carnegie Mellon University, and Eris Symms, CISO for Arconic Corporation collaborated to answer viewer questions from our latest webinar, “The Race to Secure Your Supply Chain”. While most questions were addressed during the webinar, moderator Alan Levine subsequently provided additional insight. If you missed this webinar or would like to watch it again, you can view it below.
What we have done so far: (1) Revamped our third-party security questionnaire with more focus on our supplier’s third-party assessment process (2) asked specific question about who are our 4th parties to build that inventory (3) reviewed open source components that go into our products to ensure we are doing static and dynamic code analysis and (4) embedding requirements into standard DPA, agreements etc. What else should we be doing?
Your question is complicated because you've included product security which, unfortunately, I can't speak to. You appear to be doing the right things.
One area that my team (Third Party risk management) is often asked for is to reach out to all of our suppliers and ask them about their plans to deal with a supply-chain attack (which are increasing in number). This is close to impossible given the hundreds of thousands of active suppliers we have on file. How do you deal with this mess?
A questionnaire approach is really all you can do. With myriad suppliers, you really can't get too high confidence.
Would moving towards a zero trust model and requiring supply chain participants be ZT complaint reduce the threat to an acceptable level?
That would be great for the customer, but we couldn't very well require this of all suppliers.
Tools like CyberGRX and OneTrust exchange claim to have a pill to solve this problem of detecting problems early on but I am skeptical.
Everyone has a magic pill.
Legal contracts limit our ability to review, audit or assess our 4th, 5th parties and so on. What is the solution? Thoughts?
What the US government calls 'flow-down.'
Without a specific framework, what will be the basis for assessing their level of compliance to best practices or capabilities? How to ascertain basic hygiene?
You will probably not get more than an attestation, maybe a right to audit. The very point is that you can't even be sure of supplier basic hygiene.
How important would you consider threat intelligence when considering the ability to quickly response to identified supply chain issues and follow vendor recommendations such as shutting down services?
Valuable, if the intelligence is current, clear, targeted, and actionable. We all need to be very nimble supply chain participants.
How do you force your supply chain providers to keep a good cyber security posture?
Unfortunately, you really can't.
What would your group consider some proactive safeguards to supply chain attacks? Is staying a revision behind on software (assuming it does not contain vulnerabilities) a reasonable response?
I don't think we ever want to be a version behind -- although a second dot release is ok. Start the conversation with your key suppliers and offer help if you can. They may return the favor.
If you enjoyed this webinar, be sure to visit Second Thursdays for other great cybersecurity webinars.