Am I Responsible for Supply Chain Security?


Posted on by Charlie Jones

The most frequent question I get when discussing  supply chain security is who should be responsible for overseeing it? While it is easy to point fingers at the CISO in the event of a vendor security breach, the decision chain leading to any exposure likely involved a variety of stakeholders who sit outside of the security function. As a result, it is vital that organizations clearly define the division of responsibilities for identifying and managing this risk.

Richard Horne, PwC’s UK Cyber Chair has found that this is not a new issue amongst business leaders. Cyber risk is a challenging concept to grasp because it cuts across so many different business units and risk domains. In a recent blog he states, “while it is right to consider cyber risk as a risk to be managed in its own right, it also needs to be embedded in the management of many other risks that an organization considers.”

The divergence between an organization's recognition of the risk imposed by inadequate security of vendor products and services, and willingness to assign budget and resources to manage it, was captured in The European Union Agency for Cybersecurity (ENISA)’s recent report on the topic. Specifically, ENISA highlights the following issues:

● (58 %) of CEOs feel their partners and suppliers are less resilient than their own organization.
● Less than half (47 %) of the surveyed organizations in the EU have allocated budget for ICT/OT supply chain cybersecurity
● Less than a quarter (24 %) of the surveyed organizations have dedicated roles and responsibilities for ICT/OT supply chain cybersecurity

My employer, ReversingLabs, has come across a similar phenomenon in the software supply chain. In a recent survey, nearly all respondents (98%) recognized that software supply chain issues pose a significant business risk, but only six out of 10 felt their software supply chain defenses were up to the task.

This begs the question, if you sit outside of the CISO remit, where can you begin to understand how cyber risk presented by third party products and services impacts your function? Additionally, what are your responsibilities to help effectively manage it? In an effort to bring clarity to this disconnect, I have posed a number of probing questions that key stakeholders from across the business can ask to get clarity on this topic, using the procurement of software as an example use-case:

Security:
- How does the procurement of another software product or service impact my attack surface?
- Do I have a process and tooling to support the response to “celebrity vulnerabilities” (e.g. Log4J) found in commercial software in an efficient and targeted manner
- Can I identify sophisticated threats (e.g. malware, behavioral tampering, digital signature manipulation, etc) in the commercial software I procure?

Procurement:
- How do we verify that we are buying a quality software product or service?
- Do we consider the results of pre-contract software security testing when making procurement decisions?

Legal:
- Do the outputs of our third party risk assessments drive contractual terms and the inclusion of specific security clauses to mitigate the risks identified during evaluation?
- Do we have software escrow agreements that would enable business resilience in the event of vendor failure/insolvency?

IT:
- Can we identify if future software releases (e.g. hotfixes, patches) from the vendor have been tampered with?
- Do we have a process and tooling to coordinate the isolation and removal of software from our IT estate if an active threat is identified?

Operations:
- Do the software products we consume support important business services which would cause significant impact to our business resilience?
- Are the components and dependencies which make up the software product currently supported and maintained? Or have any of them reached end of life or end of service?

Compliance:
- Are the security assurance activities that we perform over software sufficient to address our regulatory requirements (e.g. EU Digital Operational Resilience Act, EU Cyber Resilience Act)
- Do any components that make up the product/service we consume originate from a country that we are restricted from doing business in?

Internal Audit:
- Do we have confidence in the completeness and accuracy of the software bill of materials (SBOMs) we have collected for commercial software we consume?
- Do we enforce our software vendors to align with a consistent set of policies that are specific to the risk that is presented by software?

Third Party Risk Management:
- Do I have a complete inventory of suppliers that includes software vendors and describes the products/services that they provide?
- Do traditional “pen and paper” vendor evaluation methods provide me enough security assurance over software that I consume?

Recognizing that a lack of communication exists between key functions is the first step towards building a more robust program to limit the impact of a supply chain attack. It all starts with understanding your role in protecting the business. So don’t wait, start asking questions!

Contributors
Charlie Jones

Director of Product | Supply Chain Security, ReversingLabs

DevSecOps & Application Security

Application Security Testing supply chain malware software integrity software code vulnerability analysis governance risk & compliance

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.


Share With Your Community

Related Blogs