As a vendor (meaning software publisher / service provider), I was a bit the odd man out in the panel but I hope brought a unique perspective to the conversation. I was also the only one representing a small company on the panel, as both ICBC and Maersk are established companies with a global footprint. FireTail™, on the other hand, is less than six months old and has a team of five.
Here’s a rundown of what we talked about:
Supply chain security is top of mind for many people when they think about 3rd-party risk. But like most other areas of cybersecurity, many organizations struggle with gaining visibility. The rapid adoption of cloud services in past years, accelerated by the pandemic and remote work, has made this even more challenging.
A few examples were discussed to remind people that 3rd-party data breaches are real and have material impact to customers.
What’s an acceptable disclosure period of a 3rd-party breach, whether from your vendor to you or from you to your customers? 3 days / 72 hours is reasonable. Anything quicker often leads to a rushed response, with incomplete information that causes confusion and panic.
What’s a good tip for an investigation? Once you think you have found everything, go 20% further. Living off the land (LOTL) attacks are common and not expensive for a bad actor to maintain. Go slightly deeper in your investigation. You’ll also get more peace of mind from this and learn about other attack surfaces to cover and investigate for the future.
Could cyber insurance solve problems around 3rd party data breaches? No, and in fact from my perspective, there are real risks and uncertainty around the cyber insurance market. Harvard Business Review highlights challenges with cyber insurance. The tl;dr here is that cyber claims have been way higher than expected, and actuaries within insurance providers are pushing to re-assess rates or even the overall provisioning of cyber insurance.
Side note: As someone who is very active in the early-stage cybersecurity community, I must say that almost every founder of a software or services company today, talks about wanting to align with and leverage insurance providers as either a source of funds (the insurance providers will pay for this for our customers, because it reduces their risk); a source of leads (all the insurance providers will want their customers to use us); or both. Stop for a second and think about this.
Do you have the right alignment of incentives here?
Do you have the right budget owners involved in both pieces of this supposed alignment?
Are vendor questionnaires a good starting point? This was one of my favorite areas of discussion in the panel, so let me explain my “green M&Ms” comment highlighted on the InfoSecurity Magazine write-up.
I’ve worked in the vendor world for the past 10+ years, so as a supplier of software or services to large-scale enterprises either moving to the cloud or looking to secure their cloud infrastructure. I’ve done dozens of these vendor security questionnaires over the years.
No two customers agree on what’s important, but the overlap between customer A and B is probably about 80%. That’s why efforts like the CCM / CAIQ are interesting, and a good starting point for us as a young company.
But the formatting and treatment of these documents, even by customers, over the years has left me jaded. Many customers have said stuff to me like “just fill it out; no one reads it,” or “just make sure there aren’t any red flags,” or “it just has to pass procurement.”
These are the kinds of responses that make me want to put in something crazy, like an “M&Ms” clause. Note here – I got the color wrong. It was actually a brown M&Ms contract rider. The story behind that is actually fascinating. But I do wonder whether security teams actually read or care about these documents, or whether they’ve become just another bureaucratic process to follow.
And finally, yes, I very much advocate for automated patching. Of course, I also advocate for reducing your overall attack surface by moving to a “cattle not pets” model, more ephemeral infrastructure, and getting rid of servers that have operating systems. Reach out if you want to hear more about our views here.
Also, I’d like to give a little hat tip to fellow panelist Lewis, who was kind enough to share not only the photo, but his top three takeaways from the session, which I respect fully, from his perspective as a cyber leader in his organization:
Actively take control of your supply chain! Ensure security is inserted into the relevant governance processes (procurement, legal etc) so that discovery is enduring and not a point in time exercise.
Spreadsheets may have their place in supplier assurance, but try to tailor them where possible. Although nothing beats getting the right people on both sides to come together and talk through mutually beneficial security arrangements.
If it is facing the internet and you can’t patch within 24 hours, is on-prem really the right setup for that 3rd-party software?
I think Lewis’s points about establishing relationships with your third parties is so crucial (In the second point above. The words are Lewis’s, the emphasis mine). Remember that whatever tools we use, there will always be a human involved in the investigation, the incident report, and follow-up actions.