Do you think the SolarWinds breach will have a significant or lasting impact on how IT approaches supply chain risk management?

2.3k views1 Upvote14 Comments

Board Member, Advisor, Executive Coach in Software, Self-employed
I was pulled into a wide variety of peer dialogues from the day that the SolarWinds breach discovery occurred, because of my time at Intel and stuff that I had done there in supply-chain risk. My concern, when I was Chief Security and Privacy Officer at Intel, was always a nation-state actor looking to weaponize the technology that Intel created, to do harm. I always saw information security as inextricably linked to the product security and the technology. I think the SolarWinds issue is a clear example of that linkage. I've been at odds with a number of my peers in the industry who still see them as quite separate, now it's probably a little bit different, but many of them had InfoSec completely separated from product security and they very rarely intertwined themselves. And Intel, as I said, had this in their environment. When you think about that in firmware, Bios, validation engineers doing that type of stuff, it brings into question some aspects of the foundation of computing. Because if they were in Intel's infrastructure, if that report was accurate, and they did have a foothold, if it was that type of nation-state actor, they would be trying to do things more surreptitiously, well below the operating system to keep stronger footholds in other organizations. I think it's a Richter 10 type item but I've always seen this as a Richter 10 type item. I'm just, frankly, surprised that it took this long for this type of thing, at that level of infrastructure, to be found. And I'm sure it's not the first one. I'm sure there's other ones that are there that are yet to be found.
CISO in Finance (non-banking), 501 - 1,000 employees
I think the biggest concern that's coming out of this is where do we go from here? If JetBrain is compromised, SolarWinds is compromised, who do we trust? And if you're also going to assume breach, that's fine, but assuming breach also means you are still dependent on technology, and how do you cross-check each other? There are a number of questions that come to my mind. I believe the supply-chain is definitely going to get scrutinized more. It started with the whole Home Depot and Target event, that's where the whole genesis of the TPRM efforts at firm’s started off. It spun off a whole big industry over there. It's just going to change the dynamics a little bit for the practitioners who are trying to get a little ahead of it. It's going to result in a few more barriers being put up, a little bit more due diligence will be needed, which in turn is going to impact the cost of the products that come in, either from the vendor side or from implementation side.
2 3 Replies
Managing Partner & CISO in Software, 11 - 50 employees

Every security leader, let's say they had a $130 million budget and SolarWinds happens. They go back to the CFO and the executive leadership team, and they're going to say, "Hey, listen. This is a new emerging thing, supply-chain risk." Is the CFO going to give them more money? I would say no. They would say, "Hey, you have a ton of money, go figure out how to do that." And then the CISO has to then say, "I'm going to spend less on this to go focus on that." I just don't see the actual prioritization happening, unless the organization reallocates new funding for it.

CISO in Finance (non-banking), 501 - 1,000 employees

Or the business changes priority on what it wants to get accomplished. If it's fundamental to the business, if reputational damage is fundamental to the business, then the business is going to do what it needs to do to protect its reputation. If it means they have to slow down some of their efforts to try and get a handle on it, they will. There might not be additional funding, but there will definitely be reprioritization. But I think, in the long run, what's going to happen out of this is, the scrutiny on the vendors is going to go up. It's going to cost the young startups that want to establish themselves into the industry, the cost of acquiring business is going to go up.  I once worked with a young endpoint solution startup. They really were good at what they were doing. We said, "Okay, let's go do a site visit of your offices, let's see what's going on." This is a company that already had 60 logos to it, and some big financials on top of that. But we went there and they didn’t even have basic AV in place, forget firewalls and basic governance processes. I think the free lunch that startups had of, "Let's just get the logos in. Let's not worry about the infrastructure and security, governance etc." might be under a little bit of scrutiny now.

Chief Information Security Officer in Healthcare and Biotech, 501 - 1,000 employees

We had a similar experience with a startup where, the kind of operational controls they had did not even meet due diligence requirements. Let's say they have soft tools and all the relevant standards. There's another component that we have to think about, in terms of how effective they are operationally and if they have the right safeguards in place. We ended up declining them and choosing somebody else just because they lacked very basic controls. And I think this is where the checkbox thing really is overkill sometimes. You have so many things that you are kind of ticking over but when it comes to the heart of it, you don't really have the right measures in place. And that's a risk that we have to focus on.

Chief Information Security Officer in Healthcare and Biotech, 501 - 1,000 employees
In healthcare, it's a pretty complex ecosystem we're working with. We have to deal with network partners, channel partners, pretty much everybody who's trying to integrate into the platform that we currently operate in. And the whole digital transformation itself, is a foreign concept for a lot of vendors we work with. So I think the concept of what level of access they have into our existing systems and also, how we track them, that's still a risk at this point and that's something that we're tracking. But also, when we're talking about how much control we have, like for example if there's a third-party risk in this case, so somebody from our vendor ecosystem is compromised, it really depends on how much control they have and what access they have into our environment. As an industry, we rely heavily on the vendors, on a lot of things. I think that's the economies of scale and I think that's organically, the structure that's been built into the fabric of the whole vendor ecosystem. But I think the one thing we were thinking about is, "How do we maybe draw the demarcation a little further out so we have better control?" Like some kind of an abstraction where we have better control in terms of what's being managed and what's being accessed. And also, the secret management is a big piece. Especially having access into the healthcare system and the PHI is a big deal, and very heavily regulated too. Our control can only go so far today and I think that one thing we're thinking about is how to extend that. You get access to some kind of a proxy network or an abstraction framework and then you would get access into something which is more trustworthy, into the systems. But again, this is all not yet built out. This is just a concept at this point. But just extending that trust into something we can control is certainly going to be a big thing, not just for healthcare. I think across the industry we just need to take more control on how these assets are being managed.
Managing Partner & CISO in Software, 11 - 50 employees
The levers that drive behavior in cyber and in tech, are compliance and regulators or revenue components related to share price or market access. And if it's not one of those levers, I don't think it actually will be impactful and drive a first principles change for how security leaders will function. Because what they're going to say is… The board asks them, "Hey, what are we doing? Are we good?" And they'll be like, "Yeah, SolarWinds was crazy." "Okay, so you're telling me that we've been giving you all of this money for budget and, as an expert, you didn't think about the totality?" And like, "No, no, no, no, no. We were definitely focused on the highest priorities." "Oh, okay cool. So we don't need to reprioritize things for SolarWinds?" It was either, you were negligent as a security leader or this truly was something that nobody could've expected. But the average lay person would look at this and be like, "Man, the IT infrastructure that runs most of the IT monitoring for the... Yeah, I could see that as being a target for a nation-state, theoretically. I don't have to be crazy smart to do that." So, the security leader is going to say, "No, no, no. In our prioritizing of the highest risk, we're not pivoting the program. We're just going to manage that a little bit differently, pay a little more attention here," which is not actually indicative of driving behavior.
6 Replies
Board Member, Advisor, Executive Coach in Software, Self-employed

Yeah, and/or they have a dialogue because they didn't know and maybe the CIO wasn't fully cognizant. So the other thing becomes, where's the CIO in this equation? Particularly if it was across their entire environment or even just critical components of their environment... I agree with you, Anthony. I have those types of dialogues all the time. Now, the thing that you talked about on the financial side of it, that's kind of interesting. If I'm losing money... It's fairly easy to spend money to get a return if you can see that I spend $100 and I save $1000 in losses. I've been in the retail environment and managed many department stores. I managed to maximize net income by losing 2%. Two percent bad debt is how I maximized the PNL. Acceptable, 2%. I would play with the credit controls daily, to maximize. If we were light on revenue and bad debt was a little low, I let credit flow. And then I'd deal with the bad debt later and then tighten things down. It was this constant thing to maximize net income.

Managing Partner & CISO in Software, 11 - 50 employees

That's exactly it. When I was at Capital One, Capital One had it's cyber breach and all that stuff and I had left shortly before. And I ran operations and intelligence there. Capital One, as an example, wrote off $2 billion in loss annually. Two billion dollars just, "Hey, we don't care. People just aren't going to pay. Whatever." And it was a hard line requirement in the board charter that if it was not a $350 million impact, if an event didn't cross $350 million of impact, the board didn't want to hear about it.

Board Member, Advisor, Executive Coach in Software, Self-employed

Yes, it wasn't material.

CIO in Education, 1,001 - 5,000 employees
There’s plenty of content already on this thread, but in short, yes there will definitely be significant and lasting impact.

Content you might like

Early Stages - the security activities haven't been planned/deployed yet.15%

Middle stage - we've planned security activities, but we've only partially deployed them.60%

Late-middle stage - we've deployed the majority of our security activities and it's keeping up with threats.19%

Mature stage - all security activities are deployed and are proactively detecting threats.4%


2.1k views1 Upvote

Community User in Software, 11 - 50 employees

organized a virtual escape room via - even though his team lost it was a fun subtitue for just a "virtual happy hour"
Read More Comments
8.7k views26 Upvotes59 Comments