Sponsored By

Validating Supply Chain Cybersecurity

How to identify risks, understand downstream effects, and prepare for incidents.

Steve Grobman

December 17, 2015

3 Min Read

You’ve got your organization protected as best you can, but what about your supply chain? Like any type of chain, the security in your supply chain is only as good as the weakest link. Can malicious software find its way into your company or your products through your supply chain? Can a weak downstream link lead to an opportunity for exploits that take advantage of your intellectual property? Or can disruption of one link disrupt your profitability?

Almost every business is dependent on far-reaching supply chains, and we have already seen some serious cyber incidents from security lapses. Historically, supply chain professionals focused on protecting links through supplier qualification, insurance, and physical security, protecting against risks ranging from theft to delayed deliveries. While those practices remain essential, today’s supply chain professional must add a focus on information security to their defensive strategy. New efforts must focus on protecting intellectual property, defending against hacktivism and espionage, detecting embedded malware, and ensuring continuity of operations.

Managing security risk in your supply chain is new, but you have probably already been through a similar process with quality. First, you identify and classify each of your suppliers with regard to what they do now and the critical aspects of their contractual obligations. Then you define a clear baseline of security and privacy requirements for the group. Standards tools such as ISO/IEC 27036 (information security for supplier relationships) can provide a solid baseline.

With a baseline established, the next step is regular validation of security and privacy controls. Validation can be challenging, full of competing acronyms, contractual issues, and resource constraints. Doing this for every supplier in your chain is unrealistic for most companies, so it is important to prioritize. And fortunately there are standards and processes emerging for various industries that range from self-assessment to third-party certification.

One example is the Cloud Security Alliance’s Security, Trust, and Assurance Registry (STAR) for various cloud computing offerings. STAR is a straightforward three-level certification, accompanied by a publicly accessible registry. STAR provides important information about product certifications, including the date, country, term, and level of certification. Decisions can be based on a simple cost and risk comparison, or on more thorough analysis of the strengths and weaknesses of current or potential suppliers. Analogous to ratings systems in other industries such as banking or tourism, STAR requires little technical training to understand the difference between level 1, 2, and 3 certifications.

These certifications are also valuable to your supplier. Suppliers can readily compare themselves to their competitors and build a strategic perspective of their own organization’s risks and opportunities.

From your customers’ perspective, your company includes the extended network of people, processes, and partners involved in delivering products and services. You cannot “go it alone” or dismiss these issues as limited to supply chain experts.

Validating the supply chain, whether it is for product quality or information security, is now an essential part of your success. You need to identify risks, to understand the potential downstream effects of a security breach or cyberattack, and to prepare response plans so that you can respond quickly to an incident. The alternative could be a serious loss of reputation, customers, and profits. 

About the Author(s)

Steve Grobman

Chief Technology Officer at Intel Security

Steve Grobman is the chief technology officer for Intel Security Group at Intel Corporation. In this role, Grobman sets the technical strategy and direction for the company's security business across hardware and software platforms, including McAfee and Intel's other security assets.

 

Grobman joined Intel in 1994 as an architect in IT and has served in a variety of senior technical leadership positions during his Intel career. Before assuming his current role in late 2014, he spent a year as chief technology officer for the Intel Security platform division. Prior to that role, he spent two years as chief technology officer at Intel's subsidiary McAfee to integrate security technology from the two companies.

 

In prior roles, Grobman served as chief security technologist for the Intel Atom processor system-on-chip design group and spent seven years as chief architect for Intel vPro technology platforms. In the latter position, he led work on the solutions architecture that resulted in a business platform with unique hardware-based management and security capabilities.

 

Before joining Intel, Grobman spent four years at IBM as a solutions programmer and developer. Grobman has published a number of technical papers and books, and holds 20 U.S. and international patents in the fields of security, software, and computer architecture, with about another 20 patents pending. He is also the recipient of two Intel Achievement Awards, the first earned in 2005 for the invention, initial architecture, and strategy of the first PC embedded appliance; and the second in 2007 for the success of the Intel vPro technology platform.

 

Grobman earned his bachelor's degree in computer science from North Carolina State University

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights