The Troublemaker CISO: Supply Chains and DisclosureSecurity Director Ian Keller on How - and How Not - to Secure Your Supply Chain
The Erosion of Trust
The world is going to hell at a rapid pace, and the black hats are not exactly helping the situation. We have had one global event after another with companies of ever-increasing status being breached, to the extent that we now have a new attack vector called LOL.
I want to say that means "laugh out loud," but sadly it stands for "lay of the land" attacks. Essentially, the attacker exploits a vulnerability on your internet-facing software; nothing new here. But of late, these vendors are the ones you entrust to secure your systems and networks. No, I am not knocking them. But the software is built by people, and people are fallible.
This leads to the rapid erosion of trust, and organizations are now asking the question: How safe is my supply chain? - as if anyone would know. In this case, the supply chain referenced is the software you rely on and not your production facilities, but it might still apply. So on with it then.
How Safe Is My Supply Chain?
This question is asked at every level of the company. CISOs ask it because of the network security risk, CROs want to know because of systemic risk, CCOs want to know how production can be affected, and the board wants to know how all this affects the overall risk and potential share price.
To get an answer to the question, we all run to the procurement department and get them to send a questionnaire to everyone in the supply chain, asking them to disclose certain things, mostly stuff that - in my opinion - they have no business asking. Let me clarify.
Procurement, or whoever gets saddled with actually asking for this, goes onto the interweb and does a quick search for "supply chain compliance questionnaires," plagiarizes it and then send a zero-value, 400-question document to all their suppliers - and they want it back the next day.
I am all for giving assurance that the supply chain is safe ... but the operational documents will not add any value in judging someone’s security posture.
Because the word “security” is mentioned in the document, the unlucky recipient of this is again the CISO. Nine times out of 10 the request is for a ludicrous amount of information and most of it is not applicable to what the requester needs or wants to know.
This is a shotgun approach where we are requested to give all our policies, processes, standards and architectures to the customer, among a million other things. Now don’t get me wrong - I am all for giving assurance that the supply chain is safe and that we do our upmost to keep it that way, but the operational documents will not add any value in judging someone’s security posture. And right here I am opening a can of worms.
The only way to assess one’s security posture is to test it end to end. No document review on earth will give you that level of assurance. Add to this that no company will allow you to directly do such a test on them as it will affect their security and their levels of risk, which leads to more controls being asked on both sides of the supply chain. You can see the vicious circle that is emerging.
Companies wants to satisfy the requirements of their customers, which implies that the accounts teams and business execs want to share everything with the customers because they pay so well. This is all good and fine, but one must not lose sight of the fact that most companies have more than one customer, so if you do it for one, you have to do it for all. And if you do, you might as well publish it all on your webpage for the world to see.
Then remember that before you can commit on your posture, you need to ensure that your supply chain can actually live up to expectation. This makes you ask the same questions and go down the same rabbit hole with all your suppliers.
Consider this before asking for or sending information out:
- Does the receiving company have your best interests at heart? Maybe they do.
- But can you really be assured that every single staff member is of the same opinion?
- And how will they protect your company data?
- How can you be assured of this?
- What would happen if all this leaks out?
- What does your contract actually say?
Send a Letter
In my opinion, you have an obligation to ensure that your supply chain is secured to the highest levels and that you should only share the absolute minimum data required to meet any objective - if you share anything at all.
What worked for me was to send an official letter, signed by an executive director and countersigned by me, stating that we are following the relevant industry best practices and that we have all the policies and procedures in place.
You should only share the absolute minimum data required to meet any objective - if you share anything at all.
"Due to our contractual obligations to all our customers," the letter says, "we cannot share the information they are requesting, but they are welcome to come to our offices, where we will show them everything they want to see."
"They will not be allowed, however, to take photos or make copies or recordings, other than personal notes on what they see. They are also welcome to send in an independent audit firm to validate the findings, at their cost, post mutual agreement, and then they are only entitled to receive the executive summary of the document and none of the working papers or audit details."
Trust No One
This gives the assurance that things are working, reading policies and procedures gives you zero value other than knowing that a company has policies in place and it makes it look like you worked your backside off but does nothing for your risk.
Keep in mind that this "assurance" still does nothing to secure the supply chain. Hackers will continue to dive into every single internet-accessible service, port and application, hunting like a velociraptor for the next zero-day, and we will only know of it after it has been found and exploited.
So, knowing that stuff happens and things go wrong, plan for that, build your defenses and operating model as if your supply chain is unreliable and for heaven's sake, minimize what you make internet-accessible and trust no one.
CyberEdBoard is ISMG’s premier members-only community of seniormost executives and thought leaders in the fields of security, risk, privacy and IT. CyberEdBoard provides executives with a powerful, peer-driven collaborative ecosystem, private meetings and a library of resources to address complex challenges shared by thousands of CISOs and senior security leaders located in 65 different countries worldwide.
Join the Community - CyberEdBoard.io.
Ian Keller, who is director of security at a telecom company, is an information security evangelist with over 30 years of experience. He started his career in the South African Defense Force’s Combat School, where he served as an instructor in Army intelligence. Keller took this background into the corporate world and was instrumental in the creation of the global information security function for one of the country's Big Five banks. He subsequently was appointed as chief information security officer for one of South Africa's leading corporate and merchant banks.