Information Security Forum's Steve Durbin discusses mitigating supply-chain risk.

The potential of governments messing with commercial IT security products - think China and the National Security Agency (see NSA Reports Sullying Vendors' Standings?) - means organizations need to improve lines of communications to assure the integrity of the IT wares they purchase.

"The integrity of how your product has been made is of real concern," Information Security Forum's Steve Durbin says in an interview with Information Security Media Group [transcript below]. "How do you know that some of the application developers haven't put in backdoors? How can you test for that?"

To mitigate the risks, enterprises must collaborate early on to anticipate how their data and information will be held and secured across the supply chain. "It's about involving your legal guys; it's about involving your procurement folks; it's about conducting a solid risk assessment right at the outset," Durbin says.

Organizations that test for vulnerabilities without having those conversations and conducting that risk assessment early on regarding the supply chain will lose the benefits it originally offered.

"You're going to lose all of the cost benefits of actually outsourcing in the first place because you're going to have to go through every little line item of code," Durbin says.

In the interview, Durbin:

Defines the supply chain and the threats it poses to IT security and privacy; Discusses the integrity of hardware and software acquired and used over the supply chain; and Suggests ways organizations can mitigate supply chain vulnerabilities, including being more diligent in wording contracts with providers.

Business growth strategist Durbin joined the forum in 2009 after a three-year stint as chairman of the DigiWorld Institute, a British think tank comprising telecommunications, media and IT leaders and regulators. Durbin also spent seven years at the IT advisory service Gartner, where he served as group vice president worldwide.

Global Supply Chain Threats

ERIC CHABROW: Define the global supply chain and why it can pose threats to individual organizations?

STEVE DURBIN: I struggle hard to find any organization today anywhere in the world that isn't connected in a cyber way with another enterprise, and this really for me is the foundation of the global supply chain. We can get into the way in which Apple, for instance, might design in California, make in China and sell in Europe. That for me is a very large supply chain. But the issues with the sharing of information with other organizations, with third-parties, for a whole variety of different reasons hits at the heart of it.

As we're seeing, this is giving rise to discussions around privacy, around personally identifiable information, over and above what we might normally have perhaps associated with supply chain and the sharing of designs and manufacturing-based information. It's an area that has taken off this year in particular, where a number of organizations are fighting hard to get a grip with some of the implications, not within their own organizations but with these others that they're doing business with.

Product Integrity

CHABROW: As information moves from one organization to another, there's a supply chain there. Also, we heard about the supply chain about a year or so ago with news around the potential of Chinese manufacturers of computer and telecommunications components making their products in such a way that the Chinese government could spy on western businesses. That's another aspect to the supply chain, right?