CISO MAG EDITORIAL
Not long ago, the IT Head—and we are using this as a generic term–of an organization was concerned with securing all the infrastructure behind the company firewall. In those days, threats were largely viruses, trojans and worms. The Internet was still in its early days, so interconnecting networks was rare in the corporate world, and more common in academic (Yale, Columbia, Stanford) or military networks (ARPANET). However, that paradigm has changed today. The Internet has percolated all strata of our society, the business world and governments. While we have benefitted greatly from this omnipresent interconnectivity, there is a downside to it—the attack vectors have increased multifold. Today a business’s infrastructure interconnects to partners, suppliers, developers, customers (app connectivity) and other ecosystem players. It is a borderless enterprise or the extended enterprise. Therefore, a CISO must worry about the risk profile of other networks too—on the supply chain.
In its 2020 Predictions report, Trend Micro states that organizations will face a growing risk from their cloud and the supply chain. The reliance on open source and third-party software—and the introduction of modern workplace practices all present immense risks. Organizations are increasingly allowing employees to work from home (remote workers). Financial institutions are working with startups. Third-party software could have vulnerabilities. The report states: “Cloud and DevOps environments will continue to drive business agility while exposing organizations, from enterprises to manufacturers, to third-party risk.”
As more organizations opt for Managed Services, the onus and responsibility of security shifts to Managed Service Providers (MSPs). The Trend Micro report states: “Managed service providers (MSPs) will be targeted in 2020 as an avenue for compromising multiple organizations via a single target. They will not only be looking to steal valuable corporate and customer data but also install malware to sabotage smart factories and extort money via ransomware.”
Key message: The security of the supply chain is as crucial as the security of the company network. And this should be intrinsic–built into contracts, SLAs, legal documentation. Ensure the security of not just your enterprise IT infrastructure but also that of your supply chain.