Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Risk Management

To Mitigate Third-Party Security Risk, Be at the Table

In the last twelve months it seems like supply chain attacks are on the rise—CCCleaner, Nyetya/NotPetya, Spectre and Meltdown, to name a few.

In the last twelve months it seems like supply chain attacks are on the rise—CCCleaner, Nyetya/NotPetya, Spectre and Meltdown, to name a few. Organizations need to plan for these types of attacks instead of hoping they won’t occur. To explore the subject further I spoke with Edna Conway, Cisco’s Chief Security Officer, Global Value Chain and someone who is on the front lines, mitigating third-party security risk across an ecosystem that includes tens of thousands of partners located around the globe.

What do you think is behind the apparent rise in supply chain attacks? 

Digital transformation is expanding the scope of the third-party ecosystem. As that ecosystem grows, we’re seeing a corollary security impact. As organizations deploy integrated solutions, their security architecture must address the impact of the resulting expanded third-party ecosystem. We must determine if our third parties are meeting the same security standards we adhere to ourselves.  

Supply Chain SecurityExacerbating the complexity of securing this third-party ecosystem is the fact that organizations often have multiple relationships with one another. The lines between our roles as customers, suppliers and partners are blurred when addressing security. The solution is to drive an integrated way of approaching security across the value chain. 

I hear you saying value chain instead of supply chain, what’s the distinction? 

For Cisco the value chain is the entire third-party ecosystem supporting the end-to-end lifecycle of our offerings—whether hardware, software or service. The supply chain is a part of that overall value chain.   Recognizing the tight integration with your value chain, requires organizations to move away from a traditional “us” and “them” mindset. In the digital world, there really is only a “we” and that has an impact on how we approach security.

What are some of the greatest challenges in dealing with security risk to the value chain?

The first challenge is understanding and embracing the diversity of third parties in your ecosystem. How you approach security risk will vary depending on whether that third party is a cloud service provider, or a transportation/logistics provider, or an OEM, or a reseller, etc. The next challenge is ascertaining exactly who is in your value chain and what they are doing. You need to know who is “touching your stuff”– virtually and physically. The exponential growth of IoT and connected devices within your value chain creates yet another challenge to driving a comprehensive approach to security across your value chain.  Additionally, the proliferation of divergent ways of enforcing cybersecurity and intellectual property (IP) protection globally makes it difficult to converge on a unified approach to value chain security. Given our global value chains, a flexible and varied approach to security is essential.

Given these challenges, how can we approach value chain security risk mitigation?

To start, think comprehensively. We are seeing that happen in government guidance and industry standards. For example, NIST has incorporated into Version 1.1 of its Cybersecurity Framework the concept of what they refer to as “cyber supply chain [NIST’s term for value chain] risk management.”  The energy industry in North America and Mexico has also been impacted by mandates requiring value chain risk management.

As organizations, we need to develop comprehensive, flexible value chain security architectures. Architectures designed to address the ecosystem’s diversity and allow its members to drive practical security for their unique businesses. 

You’ve shared a lot of great insights. What are three to five tips for companies large or small to mitigate value chain security risk?

I’ll split the difference and boil it down to these four things:

1. Identify the key players in your third-party ecosystem and understand what they can do for you.

2. Develop a comprehensive and flexible security architecture that you can share with and deploy within your third-party ecosystem—make them your emissaries.

3. Assess if they are operating within your tolerance levels.

4. Actively participate in and influence the international security standards and industry guidelines with the goal of a common taxonomy and set of metrics that assure business alignment. 

At the end of day, be at the table. Be a good partner in your community. And if you have an idea or opinion, speak it. It will serve us all well.

*Ednay Conway will be speaking about supply chain security at SecurityWeek’s 2018 ICS Cyber Security Conference, taking place Oct. 22-25, 2018 in Atlanta.

Written By

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Risk Management

A threat-based approach to security often focuses on a checklist to meet industry requirements but overlooked the key component of security: reducing risk.

Risk Management

CISA has published a report detailing the cybersecurity risks to the K-12 education system and recommendations on how to secure it.

Funding/M&A

More than 4,000 internet-accessible Pulse Connect Secure hosts are impacted by at least one known vulnerability, attack surface management firm Censys warns.

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...