Cyber Supply Chain Risk Management: No Silver Bullet
TLDRThe SEI webcast, hosted by Shane McRae, discusses cyber supply chain risk management with Brett Tucker, emphasizing the importance of understanding and securing an organization's supply chain. Tucker highlights the need for executive governance, strategic planning, and robust policies to manage third-party risks. The conversation covers the significance of SBOMs, the challenges of risk assessment, and the importance of resilience planning. The webcast also promotes an upcoming supply chain risk management symposium and encourages participation.
Takeaways
- π Cyber supply chain risk management is a critical concern due to high-profile incidents like SolarWinds and Log4j, which have highlighted the vulnerabilities of depending on third-party providers.
- π Organizations need to start with a top-down approach to supply chain risk management, emphasizing the importance of executive governance and strategic direction to address risk exposure.
- π The visibility into an organization's supply chain is crucial, which includes understanding the assets, threats, and policies of suppliers and service providers.
- π Executive education programs, such as those at Heinz College, CMU, are available to train professionals in managing various risks, including supply chain risks.
- π« The concept of a 'no Silver Bullet' approach in supply chain risk management means that multiple layers of defense and controls are necessary to mitigate risks effectively.
- π The importance of Software Bill of Materials (SBOM) is highlighted as a tool to document the ingredients of software products, similar to a recipe, to understand and manage risk.
- β± Implementing a supply chain risk management program is a marathon, not a sprint, requiring ongoing commitment and adaptation to changing risks and dependencies.
- π Communication and trust are key in managing supply chain risks, necessitating clear and open dialogues between organizations and their suppliers.
- π‘ Building resilience in an organization involves preparing for and responding to incidents, including having backup plans and understanding the potential impact of supply chain disruptions.
- π Metrics such as Recovery Time Objective (RTO) and Recovery Point Objective (RPO) are important for measuring an organization's preparedness and ability to recover from disruptions.
- π There is a wealth of information and guidance available from sources like NIST and the federal government to assist organizations in managing supply chain risks, including standards and executive orders.
Q & A
What is the primary focus of the SEI webcast on cyber supply chain risk management?
-The primary focus of the webcast is to discuss the importance of managing risks in the cyber supply chain, emphasizing the need for organizations to understand and secure their dependencies on external suppliers and services.
Why is supply chain risk management a significant concern in cybersecurity?
-Supply chain risk management is a significant concern in cybersecurity because incidents like SolarWinds and LongforJ have highlighted how vulnerabilities in the supply chain can be exploited to compromise critical infrastructure and assets.
What is the role of Brett Tucker in the SEI?
-Brett Tucker is the technical manager of cyber risk and dessert division at the SEI. He is responsible for research and development focused on improving the security and resilience of the nation's critical infrastructure and assets, with a specific focus on risk management and resilience.
How does an organization gain visibility into its supply chain?
-An organization gains visibility into its supply chain by starting with a strategic approach at the top level, setting the tone for risk exposure management, and then working down to establish policies, expectations, and trust with providers.
What is the significance of executive education in managing supply chain risks?
-Executive education, such as programs offered by the Hines College at CMU, is crucial as it equips executives with the knowledge and skills to establish proper governance, policy, and risk management practices within their organizations, including supply chain risk management.
What is the 'no Silver Bullet' concept in the context of securing an organization's supply chain?
-The 'no Silver Bullet' concept implies that there is no single tool or process that can completely secure an organization's supply chain. Instead, a multi-layered approach involving multiple controls and strategies is necessary to manage and mitigate risks effectively.
Why is it important for organizations to establish a good asset inventory?
-Establishing a good asset inventory is important because it helps organizations understand not only their own assets but also those of their third-party providers. This understanding is crucial for identifying potential single points of failure and ensuring that the organization is not overly reliant on a single critical asset.
What is the role of Software Bill of Materials (SBOM) in supply chain risk management?
-SBOM plays a crucial role in supply chain risk management by providing a detailed list of components used in software or hardware products. This transparency helps organizations understand the ingredients in their products, manage vulnerabilities, and ensure that the products meet their security expectations.
How can organizations balance the cost and time involved in implementing supply chain risk management programs?
-Organizations can balance the cost and time by recognizing that implementing such programs is a marathon, not a sprint. They should focus on establishing a strong governance framework, clear policies, and effective communication with suppliers, rather than trying to achieve perfection in every aspect.
What are some resources or models that organizations can refer to for supply chain risk management?
-Organizations can refer to resources like NIST SP800-161, SP800-53, and 171, as well as the CMMC (Cybersecurity Maturity Model Certification). Additionally, executive orders and other government guidelines can provide direction and standards for managing supply chain risks.
What is the significance of the upcoming Supply Chain Risk Management Symposium in February?
-The Supply Chain Risk Management Symposium is a significant event that will bring together professionals from both the public and private sectors to discuss and explore strategies, tools, and best practices for managing supply chain risks. It also provides an opportunity for networking and learning from experts in the field.
Outlines
π₯ Introduction to Cyber Supply Chain Risk Management Webcast
The webcast, hosted by Shane McCrae from the Software Engineering Institute (SEI), introduces the topic of cyber supply chain risk management. The session aims for interactivity, encouraging audience questions via YouTube chat. The featured speaker is Brett Tucker, a technical manager at SEI, who specializes in improving security and resilience in critical infrastructure. Brett also holds a faculty position at CMU. The discussion emphasizes the importance of supply chain risk management in cybersecurity, referencing recent incidents like SolarWinds and highlighting the need for organizations to understand and secure their assets and dependencies.
π The Importance of Supply Chain Visibility and Executive Involvement
This paragraph delves into the significance of supply chain visibility and the role of executive governance in cybersecurity. Brett Tucker explains that supply chain risk management is not a new concept, but recent events have heightened awareness. Organizations must consider the security of their suppliers and the potential impact on their operations. The discussion starts at the strategic level, emphasizing the need for top-down commitment to risk exposure management within the supply chain. Brett also mentions the importance of understanding an organization's policies and expectations of its providers.
ποΈ CMU's Executive Education and Supply Chain Risk Management
Brett Tucker discusses executive education programs at CMU's Hines College, which are designed to train executives to handle various risks, including supply chain risks. He highlights programs for Chief Risk Officers, Chief Information Security Officers, and Chief Information Officers, all of which address supply chain risk management. These programs aim to instill a comprehensive understanding of risk management strategies and the importance of supply chain security in building a resilient organization.
π‘οΈ The Concept of 'No Silver Bullet' in Supply Chain Security
The conversation explores the idea that there is no single solution to secure an organization's supply chain. Brett explains that a multi-layered defense approach is necessary, similar to a risk portfolio in cybersecurity. He emphasizes the importance of having multiple safeguards and being prepared for incidents. The discussion includes the need for asset inventory, understanding third-party providers, and the concept of defense in depth to protect against potential supply chain threats.
π The Role of Software Bill of Materials (SBOM) in Risk Management
Brett Tucker discusses the role of Software Bill of Materials (SBOM) in documenting the components of software or hardware, akin to a list of ingredients in a cake. He mentions various standards like SPDX, Cyclone DX, and SWID tags that help in creating SBOMs. Brett explains the importance of understanding the depth of ingredients and the balance between knowing everything about a product and the resources required to mitigate every potential risk.
β±οΈ Time and Cost Considerations in Implementing Supply Chain Programs
The paragraph addresses the time and cost implications of implementing supply chain risk management programs. Brett Tuckerζ―ε» the process to a marathon rather than a sprint, emphasizing the ongoing nature of supply chain management. He outlines the fundamental pillars for such programs, including governance, policy documentation, and the importance of a team approach involving various stakeholders within an organization.
π Building Resilience in Organizations through Risk Management Models
Brett introduces the concept of building resilience in organizations, referencing the SEI's Resilience Management Model (RMM) as a starting point. He discusses the importance of preparing for incidents by understanding the impact of supply chain disruptions and having contingency plans. The conversation covers the two-way communication with suppliers and the need for honesty and trust in these relationships to ensure preparedness for potential disruptions.
π Measuring Organizational Resilience and Performance
This section explores how organizations can measure their resilience and performance in the face of supply chain disruptions. Brett mentions metrics like Recovery Time Objective (RTO) and Recovery Point Objective (RPO) as ways to test an organization's ability to recover from an incident. He also talks about the importance of stress testing and sensitiv analysis to understand the impact on the supply chain and the need for contractual agreements that ensure suppliers meet expectations.
π Resources and Guidelines for Supply Chain Risk Management
Brett provides guidance on where to find resources and guidelines for supply chain risk management. He references NIST publications, the Cybersecurity Maturity Model Certification (CMMC), and Executive Order 14028 on software supply chain security. Brett also mentions an upcoming request for information on open-source software from the Office of the National Cyber Director, encouraging participation in shaping government priorities.
π’ Upcoming SEI Supply Chain Risk Management Symposium and Call for Speakers
The paragraph announces an upcoming in-person supply chain risk management symposium hosted by SEI on February 28th in Arlington, Virginia. Brett mentions the event will attract professionals from both public and private sectors and that there are opportunities for speakers. He assures that attendees will receive information on registration and how to get involved in the symposium.
π οΈ Best Practices for Preventing and Recovering from Supply Chain Incidents
Brett shares his best advice on where to start with supply chain risk management, emphasizing the importance of governance. He stresses the need for top-down leadership to set expectations and ensure that risk-based decisions are made consistently across the organization. Brett also discusses the importance of having a program in place that is resourced and fueled by advocacy to ensure that supply chain risks are managed effectively.
π§ Tools and Frameworks for Effective Supply Chain Risk Management
The final paragraph discusses the availability of tools to aid in supply chain risk management. Brett mentions the OCTAVE Framework and other tools like Fair and OCTAVE that help in dissecting risk and making informed decisions about control selection. He highlights the importance of using these tools to ensure a good return on risk investment and to protect the organization from potential threats.
π€ Opportunities for Collaboration and Hiring at SEI
In closing, Brett mentions that the SEI is always looking for professionals interested in quantitative approaches to understanding risk exposure in organizations. He expresses interest in mathematical methodologies to measure control efficacy and the performance of supply chain risk management. Brett invites anyone interested in research or job opportunities to get in touch for potential collaboration.
Mindmap
Keywords
π‘Cyber Supply Chain Risk Management
π‘Critical Infrastructure
π‘Risk Management
π‘Executive Governance
π‘Third-Party Providers
π‘Software Bill of Materials (SBOM)
π‘Resilience
π‘Supply Chain Visibility
π‘Cybersecurity Maturity Model Certification (CMMC)
π‘Chief Information Security Officer (CISO)
π‘Operational Resilience
Highlights
Supply chain risk management is a significant concern in cybersecurity due to incidents like SolarWinds and LongforJ.
Organizations need to consider the security and resilience of their suppliers and third-party providers.
Visibility into an organization's supply chain starts with strategic planning and governance at the top level.
Policies and expectations must be clear for providers to demonstrate trustworthiness and commitment to security.
Executive education programs at CMU's Hines College focus on supply chain risk and other risk management strategies.
No single tool or process can fully secure an organization's supply chain, emphasizing the need for a multi-layered approach.
Asset inventory and understanding of third-party providers are crucial for supply chain risk management.
Organizations should establish trust and information exchange with their supply base through service level agreements and contractual terms.
Health checks on supply chain risk management programs and assessing supplier maturity are essential.
Diversifying the supplier base to avoid reliance on a single source provider is a strategic move for risk mitigation.
Software Bill of Materials (SBOM) is a helpful tool for documenting the components of software and hardware, aiding in risk assessment.
Implementing supply chain risk management programs is a marathon, not a sprint, requiring ongoing commitment and resources.
Operational resilience is a key aspect of supply chain risk management, focusing on response and recovery from incidents.
Communication and trust between an organization and its suppliers are vital for managing and mitigating risks.
Metrics like Recovery Time Objective (RTO) and Recovery Point Objective (RPO) are used to measure organizational resilience.
CMU offers resources and publications on software bills of materials and their application in supply chain risk management.
Upcoming Supply Chain Risk Management Symposium on February 28th in Arlington, Virginia, will feature senior executives and industry leaders.
Governance is the most important starting point for supply chain risk management, emphasizing risk-based decision-making.
Tools like OCTAVE and Fair can be used for enterprise risk management and control selection in supply chain risk management.
Transcripts
Browse More Related Video
A Cyber Framework Fit for Global Use: Cybersecurity Framework (CSF) 2.0
Risk Assessments for Youth Webinar
Audit & Risk Committee Meeting 6 December 2021
Lecture 11: Local Area Plan (Urban Redevelopment Plan)
Supply Chain Sustainability: A Force For Good
What is Supply Chain Management? Hottest Degree 2024 (Part 1/3), $100K+ by age 30: simecurkovic.com
5.0 / 5 (0 votes)
Thanks for rating: