Organizations Need to Establish Trust to Enhance Supply Chain Security
Enhancing the trust and security of the supply chain is on the minds of many a cybersecurity executive today, and will likely be a topic of interest and concern in the months and years to come.
It’s not surprising then, that the focal point of a recent RSA Conference virtual seminar was supply chain security. A panel held during the event covered the topic of establishing trust to enhance supply chain security, which is surely one of the more daunting challenges organizations face.
Participants noted that organizations need to make strides in improving supply chain security in conjunction with their partners.
“I don’t necessarily think that the way most of us [are] handling the trust and validation topic right now is sustainable,” said Joanna Burkey, CISO at HP. “Our current approach is very similar to a lot of enterprises, where we group any third party that we work with into a tier based on the risk that we have.”
The risk level is determined by factors such as the criticality of the service a partner is providing for HP and the sensitivity of the data the partner controls. Based on the tiers, “we expect a certain level of insight into their security program,” Burkey said. And the contractual commitments from HP and a given partner is what determines the level of trust and comfort HP has in working with that partner, Burkey said.
This approach works, Burkey said, “but the part in there that I feel like is going to adapt as we go into the future is you cannot document everything in a contract, and if you try it’s untenable. So I really see a future where we’re going to become less bound to specificity in contracts and more centered around both parties committing to do their best [to be secure] within certain guardrails.”
HP has a complex supply chain, purchasing products from a variety of suppliers—including open source software—and then providing its own products and services to customers. Those consumers are then using the products HP builds as well as the components it procures from its suppliers.
Another company with a complex supply chain is Kyndryl, a provider of IT infrastructure services. “There’s a lot of fragility associated with the supply chain, both what we are ingesting and running our ourselves as well as what we’re offering to our customers,” said Kris Lovejoy, global security and resiliency practice leader at Kyndryl. “It’s a very complex situation—and dynamic.”
A fundamental principle of risk management is that if you can’t measure it you can’t improve it, Lovejoy said. But the measurements need to be the right ones, not just whether a vendor/supplier is compliant or non-compliant with a contract.
Companies need to be more proactive in engaging and understanding the technical controls in place for a secure supply chain, Lovejoy said. “The attack service has increased absolutely dramatically, and we are all digesting technology in lots of different ways from third-party vendors, in ways that we’re really not thinking about,” she said. “A lot of the technology that we are digesting today has not been adequately secured.”
