Intelligent CISO Issue 10 | Page 46

industry unlocked Because as we’ve seen, even in the most recent attacks, a lot of compromises come through the supply chain. Auditing them is one thing but someone can say something on a questionnaire and you can’t be certain that it is accurate. You need to do a mixture of technical assessments and testing to verify the controls. But to a degree, you have to choose your battles because you’re not going to audit every single supplier you ever have from a technical standpoint. You need to look at basing this on a risk calculation and, based on what access they have to your data, network and system, you may choose to do a wider technical assessment against them which is where pen testing services come into play. You have to choose your battles because you’re not going to audit every single supplier you ever have from a technical standpoint. you validate from a technical standpoint that the technical controls are effective or at least are evidence they’ve had that validation done. Asking for copies of their test reports etc is a good thing to do. Securing the supply chain Key message to CISOs Auditing the supply chain is one thing from a point of ‘here are the questions, answer them and tell me what your network security policy looks like’, all the standard things we see, which we can help with. Think outside the box, almost ask that question ‘when was the last time you walked around your office and actually took stock of all the technology you have in your location?’. But for me there’s also a technical element there as well so I think it’s wise, based on the risk of the supplier in terms of what they have access to, if Using the example of a coffee machine or a control system, a lot of CISOs have really great control and knowledge of what they have their arms around 46 – typically the network and web application and things like that – but actually they should be looking further than that. In terms of what they do have control of, the other point there is about making sure they have got a process and ultimately – and this is what I am passionate about – that there is a platform for managing that remediation cycle when they are having work delivered to them. That’s a really key thing. It’s about making sure they do have a way to demonstrate improvement back to the business and ultimately an ROI. The budgets will only stretch so far but clearly if you are spending on testing – and there will be a line in pretty much every CISO’s budget for cybersecurity services, not least penetration testing – actually making sure they are driving real value out of that. Then demonstrating that back to the business and being able to say, for example, ‘well, ok we invested US$50,000 and actually we found all these vulnerabilities, we’ve remediated them and have the evidence behind that to show that they are reducing their risk and security posture’.” u Issue 10 |