The multifaceted nature of modern supply chain risks was highlighted by Jon France, CISO for (ISC)², during (ISC)² Secure London this week.
France, who was appointed the first-ever CISO of (ISC)² earlier this year, emphasized that rapid digitization across all industries had significantly widened organizations’ threat landscape during COVID-19. “Speed can sometimes be the enemy of risk,” he noted, adding that most have still not gone through the necessary consolidation phase, ensuring these technologies are adequately protected.
“This gives the opportunity for attackers to go after the infrastructure that we put in our supply chain,” commented France. He also observed that the current Russia-Ukraine conflict has a “cyber fallout” in other sectors and geographies.
Securing growing supply chains is therefore increasingly challenging. France outlined the numerous facets of supply chain risk management.
Profiling the Cyber Chain
France said that understanding risk across a supply chain is “conceptually easy, practically difficult.” However, he advised that having clear contracts with suppliers is a good place to start, although that alone is insufficient.
It is also vital organizations understand precisely what and who makes up their supply chain ecosystem. Regarding technologies, France said this would be comprised of software, hardware, cloud, connectivity and data. In terms of actors, it will be traditional vendors, e.g., Microsoft, AWS, systems integrators and outsourced services, e.g., human resources.
Patching Vulnerabilities
France pointed out that “software is a great enabler, but also a risk.” He added that modern software is often built with frameworks and libraries that are not known or well supported. This is a particular problem when it comes to software used by suppliers.
France advised: “Be really careful about what you pick, how you pick and how you deploy it.” He advised using open-source software where possible, as it is easier to inspect. However, in the macro supply chain, organizations have no control over the software that suppliers are using. This makes it harder to ensure vulnerabilities are identified and patched.
Vigilance and Alerting
Organizations must be able to quickly ascertain when there is an issue in the supply chain. France said this is primarily achieved through two approaches: tooling to see when unusual activity occurs and building strong relationships with suppliers. “You should have a good relationship with your suppliers to understand what they’re going to do and how you can get hold of them,” he stated.
In addition, France argued organizations should be able to quantify risk across the supply chain. “Without being able to measure something, you can’t manage it.” He added that a significant number of tools can profile and provide risk scores.
Physical Dimensions
France also pointed out that physical dimensions can indirectly affect supply chain security. For example, the current shortage of silicon chips due to COVID-19 and geopolitical tensions will delay computer upgrades, thereby introducing more risk.
Regulatory Requirements
The growing number of cybersecurity regulations is another element organizations’ must be aware of regarding their supply chain risk management strategies. This is especially the case for critical national infrastructure (CNI) providers, as shown by recent regulations in the US like President Biden’s executive order and new legislation forcing CNI companies to report cyber incidents within 72 hours.
France concluded: “Supply chains are complex, longer than you think and multidimensional.” He then offered five tips for how organizations can strengthen their supply chain security:
- Profile your footprint
- Understand your key suppliers
- Contract carefully and be explicit
- Diversify your critical suppliers
- Conduct regular patching and maintain cyber hygiene