In our increasingly digital world, technological innovation not only presents new opportunities, but also raises new risks and challenges that must be addressed collaboratively by industry, buyers, users, and policymakers. Specifically, digitization demands that risk be addressed across a dramatically expanding supply chain. These risks include the security threats of manipulation, espionage and disruption of information and information systems and services.
Empirical reports reveal that the third party ecosystem remains a fundamental risk to the integrity of our information systems. For example, analysis of the last nine consecutive years of Verizon’s global Data Breach Investigation Reports illustrates that where breaches can be attributed, 73% arise from the third party ecosystem. Moreover, not only are we increasing the volume of third parties in our information systems supply chains, we continue to invite third parties into our security inner sanctums – our security enforcing technology. Cisco’s 2018 Annual Cybersecurity Report revealed that 79% of global enterprises and governments rely on at least 20 third party security vendors.
The message is clear: the cyber supply chain and its related third party risk must be addressed. These security risks must be tackled comprehensively across all stages of the supply chain, including design, software development, manufacturing and sustainment. In parallel, our procurement practices, policies and certification and validation schemas should also seek to mitigate the impact of this third party risk. Public-private partnership brings civilian, government and defense agencies together with private industry to develop meaningful recommendations to effectively mitigate third party risk. NATO has recognized and is actively addressing this challenge in coordination with its member nations.
I will tackle this very challenge in my upcoming keynote, “The Trolls Under the Bridge: Who & What Lurks in Your Supply Chain?” at NATO’s NIAS19 Conference in Mons, Belgium in October https://nias19.com. I will share views on a path forward to meaningfully reduce risk across the increasingly broad and deep third party ecosystem upon which governments and enterprises around the world rely. I look forward to sharing the perspective that we simply must drive what I refer to as Pervasive Security. Pervasive Security designed to deploy a layered approach balancing physical security, operational security, behavioral security, information security and security technology across the cyber supply chain based on risk prioritization.
My discussion will build on NATO’s 2017 Technical and Implementation Directive on Supply Chain Security for COTS CIS Security Enforcing Products. And, I will showcase a practical framework to identify, prioritize and mitigate the impacts of tainted and counterfeit information systems technology across the supply chain and its third party members.
One of NIAS19’s key themes is “supply chain security challenges”. Specifically to answer that challenge, I will discuss tested, practical methods to address those challenges. After all, risk travels up and down the supply chain. Approaching supply chain security comprehensively is key to ensuring successful risk management. Fundamental steps to comprehensive security require that all supply chains:
1. Identify areas of potential impact, for example:
- Risks to continuity of supply of third party provided software, services, components and raw materials
- Natural disasters
- Geopolitical and economic disruption
- Workforce instability
- Financial volatility
- Weak infrastructure security
- Insufficient end-user risk awareness
2. Prioritize risk by both likelihood of occurrence and severity of impact
3. Establish criteria for mitigating security threats and reducing the impact of incidents
4. Collaborate with industry and government on policy, regulations and directives.
October is Cybersecurity Awareness Month! Join the conversation, as all of us are part of the global supply chain. For additional insight on this challenge visit Cisco’s Value Chain Security Capability.