Cyber Supply Chain Risk Management: No Silver Bullet

The webcast, hosted by Shane McCrae from the Software Engineering Institute (SEI), introduces the topic of cyber supply chain risk management. The session aims for interactivity, encouraging audience questions via YouTube chat. The featured speaker is Brett Tucker, a technical manager at SEI, who specializes in improving security and resilience in critical infrastructure. Brett also holds a faculty position at CMU. The discussion emphasizes the importance of supply chain risk management in cybersecurity, referencing recent incidents like SolarWinds and highlighting the need for organizations to understand and secure their assets and dependencies.

This paragraph delves into the significance of supply chain visibility and the role of executive governance in cybersecurity. Brett Tucker explains that supply chain risk management is not a new concept, but recent events have heightened awareness. Organizations must consider the security of their suppliers and the potential impact on their operations. The discussion starts at the strategic level, emphasizing the need for top-down commitment to risk exposure management within the supply chain. Brett also mentions the importance of understanding an organization's policies and expectations of its providers.

Brett Tucker discusses executive education programs at CMU's Hines College, which are designed to train executives to handle various risks, including supply chain risks. He highlights programs for Chief Risk Officers, Chief Information Security Officers, and Chief Information Officers, all of which address supply chain risk management. These programs aim to instill a comprehensive understanding of risk management strategies and the importance of supply chain security in building a resilient organization.

The conversation explores the idea that there is no single solution to secure an organization's supply chain. Brett explains that a multi-layered defense approach is necessary, similar to a risk portfolio in cybersecurity. He emphasizes the importance of having multiple safeguards and being prepared for incidents. The discussion includes the need for asset inventory, understanding third-party providers, and the concept of defense in depth to protect against potential supply chain threats.

Brett Tucker discusses the role of Software Bill of Materials (SBOM) in documenting the components of software or hardware, akin to a list of ingredients in a cake. He mentions various standards like SPDX, Cyclone DX, and SWID tags that help in creating SBOMs. Brett explains the importance of understanding the depth of ingredients and the balance between knowing everything about a product and the resources required to mitigate every potential risk.

The paragraph addresses the time and cost implications of implementing supply chain risk management programs. Brett Tucker比喻 the process to a marathon rather than a sprint, emphasizing the ongoing nature of supply chain management. He outlines the fundamental pillars for such programs, including governance, policy documentation, and the importance of a team approach involving various stakeholders within an organization.

Brett introduces the concept of building resilience in organizations, referencing the SEI's Resilience Management Model (RMM) as a starting point. He discusses the importance of preparing for incidents by understanding the impact of supply chain disruptions and having contingency plans. The conversation covers the two-way communication with suppliers and the need for honesty and trust in these relationships to ensure preparedness for potential disruptions.

This section explores how organizations can measure their resilience and performance in the face of supply chain disruptions. Brett mentions metrics like Recovery Time Objective (RTO) and Recovery Point Objective (RPO) as ways to test an organization's ability to recover from an incident. He also talks about the importance of stress testing and sensitiv analysis to understand the impact on the supply chain and the need for contractual agreements that ensure suppliers meet expectations.

Brett provides guidance on where to find resources and guidelines for supply chain risk management. He references NIST publications, the Cybersecurity Maturity Model Certification (CMMC), and Executive Order 14028 on software supply chain security. Brett also mentions an upcoming request for information on open-source software from the Office of the National Cyber Director, encouraging participation in shaping government priorities.

The paragraph announces an upcoming in-person supply chain risk management symposium hosted by SEI on February 28th in Arlington, Virginia. Brett mentions the event will attract professionals from both public and private sectors and that there are opportunities for speakers. He assures that attendees will receive information on registration and how to get involved in the symposium.

Brett shares his best advice on where to start with supply chain risk management, emphasizing the importance of governance. He stresses the need for top-down leadership to set expectations and ensure that risk-based decisions are made consistently across the organization. Brett also discusses the importance of having a program in place that is resourced and fueled by advocacy to ensure that supply chain risks are managed effectively.

The final paragraph discusses the availability of tools to aid in supply chain risk management. Brett mentions the OCTAVE Framework and other tools like Fair and OCTAVE that help in dissecting risk and making informed decisions about control selection. He highlights the importance of using these tools to ensure a good return on risk investment and to protect the organization from potential threats.

In closing, Brett mentions that the SEI is always looking for professionals interested in quantitative approaches to understanding risk exposure in organizations. He expresses interest in mathematical methodologies to measure control efficacy and the performance of supply chain risk management. Brett invites anyone interested in research or job opportunities to get in touch for potential collaboration.