Do industry leaders truly understand supply chain and third-party risk?

When we think about the supply chain, I don't think the industry really gets it or cares. After SolarWinds, most companies didn't get more money to go fix and address the cybersecurity issues for supply chain. They were told to be smarter about the money they had and to make better decisions, but it wasn't a big call to arms of, "Oh, my goodness, it's a big risk. You're right. Here's an extra N amount of dollars to do that." And every company, except for SolarWinds, has recovered economically on their stock price. SolarWinds will probably fully recover it. It's still down 22 points. H-ISAC is one organization that did a really good job of thinking about the supply chain ecosystem. They actually put together a paper talking about the supply chain bill of materials, so your product application bill materials. Most cybersecurity application development teams, they don't know the library dependencies that they're actually building with until we actually have a meaningful conversation about the library dependencies that you're building into your kit or where your developers are copying code from. You can't really have a good conversation like, "No, no, no. I really care where my code is sourced from." It's like, "No, you don't. You're not even trying to get the inventory." So I think that's where we are as an industry, we talk a good game. When we see funding flow into organizations to tackle this, that's when you'll know. I mean, we all know it. When the company says, "Hey, this is really important, but we're not freeing up any money.” It's like, okay, they say it's important. When it's really important, all of a sudden flood gates open and they're just dumping money... We haven't seen that behavior in the supply chain. We haven't seen even an emphasis of doing the integrity of it.

Anonymous Author
When we think about the supply chain, I don't think the industry really gets it or cares. After SolarWinds, most companies didn't get more money to go fix and address the cybersecurity issues for supply chain. They were told to be smarter about the money they had and to make better decisions, but it wasn't a big call to arms of, "Oh, my goodness, it's a big risk. You're right. Here's an extra N amount of dollars to do that." And every company, except for SolarWinds, has recovered economically on their stock price. SolarWinds will probably fully recover it. It's still down 22 points. H-ISAC is one organization that did a really good job of thinking about the supply chain ecosystem. They actually put together a paper talking about the supply chain bill of materials, so your product application bill materials. Most cybersecurity application development teams, they don't know the library dependencies that they're actually building with until we actually have a meaningful conversation about the library dependencies that you're building into your kit or where your developers are copying code from. You can't really have a good conversation like, "No, no, no. I really care where my code is sourced from." It's like, "No, you don't. You're not even trying to get the inventory." So I think that's where we are as an industry, we talk a good game. When we see funding flow into organizations to tackle this, that's when you'll know. I mean, we all know it. When the company says, "Hey, this is really important, but we're not freeing up any money.” It's like, okay, they say it's important. When it's really important, all of a sudden flood gates open and they're just dumping money... We haven't seen that behavior in the supply chain. We haven't seen even an emphasis of doing the integrity of it.
0 upvotes
Anonymous Author
Unfortunately, my experience having served on several public boards, boards are actually not really well-positioned to understand cybersecurity issues. I think there are now more and more technology executives on boards, but not in the past. The older generation board members know that cybersecurity is a problem, but they're not sure what kind of questions to ask. And even if they know what questions to ask, they don't know whether the answers they're getting are the right answers. I spend as much time educating my peers on the board as I do with the CISO to make sure that there is a connection between the risk from the cybersecurity perspective, as well as impact to the business. Because CISOs, us, technology people, we tend to throw lingo, our abbreviations at the board and they go, "We are speaking different languages." So, a translation is needed.
4 upvotes