Managing supply chain security and mitigating attacks has become critical for Chief Information Security Officers (CISOs)
As we outline below, Interos has found three main tasks that CISOs must lead to protect their organization’s supply chain and improve overall visibility.
Incident Response – Dealing with a supply chain attack.
SolarWinds, Kaseya, Log4J, and other supply chain attacks have grabbed the headlines. A CISO must prepare for the next event without knowing its type, motive, or origin. SolarWinds had no cyber warning indicators before its major breach. All the firewalls, agents, policies, and other traditional tools would not have prevented this type of attack since SolarWinds had complete access to the network.
CISOs need to determine if they are at risk when these attacks happen. The traditional method for risk management is to send surveys to all suppliers and third parties. Unfortunately, since most CISOs do not have visibility into their supply chains, they must start from scratch. Hopefully, they have a third-party assessment tool, but often the CISO must get a list of suppliers from procurement. This list usually only includes the first tier of suppliers. While waiting for the surveys to be completed and returned, the organization remains exposed to the threat. This means that the CISO cannot readily confirm to leadership that the threat has been mitigated, often for weeks or months.
The Interos operational resilience platform continually maps, monitors, and models an organization’s extended supply chain. When new attacks happen, Interos alerts customers so they can strategize a reaction to the threat. It takes a few seconds to discover where the affected supplier resides within the supply chain and how it connects to the organization. A CISO using Interos can start mitigation efforts almost immediately, which reduces the time before confidently reporting to the C-Suite that they have resolved the problem.
Proactive Assessment – Auditing the supply chain.
An unhealthy supply chain can cause tremendous problems for an organization.
The CISO’s role is to protect the organization and they must understand the health and potential risks of their supply chain. Organizations should not trust a supplier with poor cyber hygiene. They should also look to replace any equipment supplier who has gone bankrupt or out of business. Even if the technology works, the manufacturer can no longer provide updates and patches for future cyber vulnerabilities.
Continually assessing and monitoring the extended supply chain can be difficult or impossible without the proper tools. A CISO can lessen the damage or prevent supply chain attacks if they know where to focus their efforts. However, most are blind to potential problem suppliers.
The Interos operational resilience platform continually assesses and monitors the extended supply chain, integrating six risk factors to come up with a comprehensive score. A CISO can use this information to focus on the worst offenders in each category, getting the best result for their efforts. A CISO can also understand if the suppliers are subject to US, UK, or EU sanctions or restrictions, which may cause business problems. With Interos, the CISO can be proactive and improve their supply chain’s health, reducing incidents and supplier churn in the future.
Vetting of new suppliers for cyber risk is a task often given to CISOs. There is often pressure on the CISO to complete the assessment quickly if the new supplier is deemed acceptable already by management. Since requests to vet a supplier are random, it is impossible to schedule. Knowing that a new supplier is at a high risk for cyber issues is critical to ensuring a company’s data security.
Getting new supplier information is traditionally done by sending them a survey with questions or asking for the results of a recent SOC audit. Often the surveys take a long time to complete and return. While a security operations center audit is preferable in most cases, it can be costly to conduct.
The Interos operational resilience platform uses public and private data sources combined with one of the largest business relationship data lakes to build a viable picture of an organization in a few minutes. The CISO can enter the company name and create a helpful report without sending and waiting for the return of surveys. The Interos analytics engine can provide insight into the supplier in all six risk categories, location, and other relevant data. This approach can enable a CISO to know within a few minutes if the supplier is bankrupt, doing business in concerning areas, or has connections to questionable organizations. The Interos approach is standardized and repeatable without requiring a high level of supply chain expertise from the cyber analyst.
To see a demonstration of the Interos Operational Resilience platform, please go to https://www.interos.ai/resources/interos-product-overview/