In the last twelve months it seems like supply chain attacks are on the rise—CCCleaner, Nyetya/NotPetya, Spectre and Meltdown, to name a few. Organizations need to plan for these types of attacks instead of hoping they won’t occur. To explore the subject further I spoke with Edna Conway, Cisco’s Chief Security Officer, Global Value Chain and someone who is on the front lines, mitigating third-party security risk across an ecosystem that includes tens of thousands of partners located around the globe.
What do you think is behind the apparent rise in supply chain attacks?
Digital transformation is expanding the scope of the third-party ecosystem. As that ecosystem grows, we’re seeing a corollary security impact. As organizations deploy integrated solutions, their security architecture must address the impact of the resulting expanded third-party ecosystem. We must determine if our third parties are meeting the same security standards we adhere to ourselves.
Exacerbating the complexity of securing this third-party ecosystem is the fact that organizations often have multiple relationships with one another. The lines between our roles as customers, suppliers and partners are blurred when addressing security. The solution is to drive an integrated way of approaching security across the value chain.
I hear you saying value chain instead of supply chain, what’s the distinction?
For Cisco the value chain is the entire third-party ecosystem supporting the end-to-end lifecycle of our offerings—whether hardware, software or service. The supply chain is a part of that overall value chain. Recognizing the tight integration with your value chain, requires organizations to move away from a traditional “us” and “them” mindset. In the digital world, there really is only a “we” and that has an impact on how we approach security.
What are some of the greatest challenges in dealing with security risk to the value chain?
The first challenge is understanding and embracing the diversity of third parties in your ecosystem. How you approach security risk will vary depending on whether that third party is a cloud service provider, or a transportation/logistics provider, or an OEM, or a reseller, etc. The next challenge is ascertaining exactly who is in your value chain and what they are doing. You need to know who is “touching your stuff”– virtually and physically. The exponential growth of IoT and connected devices within your value chain creates yet another challenge to driving a comprehensive approach to security across your value chain. Additionally, the proliferation of divergent ways of enforcing cybersecurity and intellectual property (IP) protection globally makes it difficult to converge on a unified approach to value chain security. Given our global value chains, a flexible and varied approach to security is essential.
Given these challenges, how can we approach value chain security risk mitigation?
To start, think comprehensively. We are seeing that happen in government guidance and industry standards. For example, NIST has incorporated into Version 1.1 of its Cybersecurity Framework the concept of what they refer to as “cyber supply chain [NIST’s term for value chain] risk management.” The energy industry in North America and Mexico has also been impacted by mandates requiring value chain risk management.
As organizations, we need to develop comprehensive, flexible value chain security architectures. Architectures designed to address the ecosystem’s diversity and allow its members to drive practical security for their unique businesses.
You’ve shared a lot of great insights. What are three to five tips for companies large or small to mitigate value chain security risk?
I’ll split the difference and boil it down to these four things:
1. Identify the key players in your third-party ecosystem and understand what they can do for you.
2. Develop a comprehensive and flexible security architecture that you can share with and deploy within your third-party ecosystem—make them your emissaries.
3. Assess if they are operating within your tolerance levels.
4. Actively participate in and influence the international security standards and industry guidelines with the goal of a common taxonomy and set of metrics that assure business alignment.
At the end of day, be at the table. Be a good partner in your community. And if you have an idea or opinion, speak it. It will serve us all well.
*Ednay Conway will be speaking about supply chain security at SecurityWeek’s 2018 ICS Cyber Security Conference, taking place Oct. 22-25, 2018 in Atlanta.