What can security professionals do differently to better manage supply chain risk?
Sort by:
I look back in my career and when I was a finance person in '93 in Intel's IT organization, I nationalized computing. And I built a supply-chain for hardware, software. Why? Because I was a finance guy. Inventory management is the only way to control cost. Well, when I circled back into security, luckily all of that was still there because everything funneled through the purchasing processes I had built eight years earlier. It wasn't perfect but I had 95% inventory management from the day I landed and it saved my ass. And then I pivoted from there, being a former finance and procurement guy and thinking about trust in supply-chain stuff even years ago, well before the whole third-party risk management stuff went out I started embedding third-party risk type stuff into the purchasing and financial controls. We had the whole notion that trust would become the attack surface and the thing you trusted the most was the thing that would make you most vulnerable, which then framed how we strategically really worried about things. Hell, when everybody was adamant about encryption, I was so flipping paranoid about the use of encryption. If we mismanage the key or somebody gets those keys, we're screwed. I was worried about ransomware in 2005/2006. Just with deployment of hard disk encryption and all that other stuff, because I'm like, "You get a rogue admin, somebody owns the box, you own this..." You could literally have created the ransomware events then, without even doing malware, if you just had the right aspects to the infrastructure and shut off certain things. I don't know where it's at, at Intel these days, but as I grew in that everybody always wanted to take away from me and I'm like, "No, I want to be the inventory manager because it will then give me the base of things." I still have debates with peers on that because they think of it as unglamorous but I go, "It's such a critical dependency to the role and if it's not being done right, take it over so that it can be done right. So, that you can then execute your role." I think that the whole third-party risk management approach is like doing a SOC 2, and it isn't sufficient. You go, "Okay, I've got some basic controls and I can answer some policy questions, but doesn't tell me that they know the risk issues and that they're managing them well." Which was why, when I was at Intel, when I was at Cylance, hell even at Cymatic, I go have a conversation with my peers at my critical vendors that could cause me substantial harm and then potentially my customers. The lawyers and compliance team might want all those questions and stuff like that, but I want to know my peer and go, “Can I trust you?” And you're going to answer my direct questions. And if there's any wishy-washiness, then I worry. This approach also allows you to take more risks. The riskiest technology in early adopters of technology should be the security team. Why? Because we're the risk manager so we should be the ones taking the risks ahead of everybody else so that we can figure out how to manage them before everybody else gets there. And instead, we create all these encumberments to innovation that then causes people to go around us, which means we're actually generating risk by slowing people down. And we should be the first mover. Run to the riskiest things first. Once you're there you can sort it before other people get there. It's completely counterintuitive to our DNA, which is to be risk-averse. We should be the biggest risk takers on technology because then we actually manage risk to our organization better.
I think that's what's going to happen more often. This is going to force us to get out of the checkbox mentality, get out of the paper-based audit that we're doing, and actually go a little bit deeper. Actually ask the hard questions about the operational security. "What's your OPSEC like? What's your governance process like?”
Yeah, and to be honest, I actually think it would cost us less because now we're not paying for a third-party management sub-software, somebody to scan things. I pick up the phone and I call... I'll give you an example, Cymatic uses Gusto for payroll. When I landed here I was like, "What the hell is Gusto? Never heard of the damn thing." I send a note in saying, "I want to talk to your Chief Information Security Officer, Chief Security Officer." They were like, "Huh?" And I'm like, "No, no, no. You're running my payroll. I'm going to have that dialogue." And I got bounced around a little bit so I went to the CEO and said, "I'm going to force us to shut you off unless I have a real dialogue with somebody that I know has competencies." I don't want your checklist, I want a discussion. I asked some very blatant questions and they made me feel comfortable enough. But that's just the way in which I approach it and I think it's more effective and, frankly, cheaper. Plus, then I have another peer relationship that I can rely on. If the person's a schmuck then you go, "I got a problem. I might just be dependent upon it but now I've got a different thing that I'm working," because you look at the competencies of the leadership, not just what's reported on a control checklist.
Develop a third-party risk program, ensure that your contracts hold your vendors accountable to specific controls or frameworks