industry unlocked
Because as we’ve seen, even in the most
recent attacks, a lot of compromises
come through the supply chain. Auditing
them is one thing but someone can say
something on a questionnaire and you
can’t be certain that it is accurate.
You need to do a mixture of technical
assessments and testing to verify the
controls. But to a degree, you have to
choose your battles because you’re not
going to audit every single supplier you
ever have from a technical standpoint.
You need to look at basing this on a risk
calculation and, based on what access
they have to your data, network and
system, you may choose to do a wider
technical assessment against them
which is where pen testing services
come into play.
You have to choose
your battles because
you’re not going
to audit every
single supplier you
ever have from a
technical standpoint.
you validate from a technical standpoint
that the technical controls are effective
or at least are evidence they’ve had that
validation done. Asking for copies of their
test reports etc is a good thing to do.
Securing the supply chain
Key message to CISOs
Auditing the supply chain is one thing
from a point of ‘here are the questions,
answer them and tell me what your
network security policy looks like’, all the
standard things we see, which we can
help with. Think outside the box, almost ask that
question ‘when was the last time you
walked around your office and actually
took stock of all the technology you have
in your location?’.
But for me there’s also a technical
element there as well so I think it’s
wise, based on the risk of the supplier
in terms of what they have access to, if Using the example of a coffee machine
or a control system, a lot of CISOs have
really great control and knowledge
of what they have their arms around
46
– typically the network and web
application and things like that – but
actually they should be looking further
than that.
In terms of what they do have control
of, the other point there is about
making sure they have got a process
and ultimately – and this is what I am
passionate about – that there is a
platform for managing that remediation
cycle when they are having work
delivered to them.
That’s a really key thing. It’s about
making sure they do have a way to
demonstrate improvement back to the
business and ultimately an ROI.
The budgets will only stretch so far but
clearly if you are spending on testing –
and there will be a line in pretty much
every CISO’s budget for cybersecurity
services, not least penetration testing –
actually making sure they are driving real
value out of that.
Then demonstrating that back to
the business and being able to say,
for example, ‘well, ok we invested
US$50,000 and actually we found all
these vulnerabilities, we’ve remediated
them and have the evidence behind that
to show that they are reducing their risk
and security posture’.” u
Issue 10
|
www.intelligentciso.com