Expert Emphasizes Continuing Monitoring
Steve Durbin
An essential, potentially overlooked step for minimizing supply chain risks is to continually monitor outsourcers and other third parties to address critical security issues, says the Information Security Forum's Steve Durbin.
"There is an increased readiness on the part of organizations that have outsourced or are working with third parties to really review the [vendors' performance] on an annual basis," Durbin says in an interview with Information Security Media Group. "It's about sitting down with them and asking: 'How are you maintaining the integrity of our information? What security processes do you have in place? Have you implemented those processes that we asked for?'"
Another essential step, Durbin says, is carefully assessing upfront the pros and cons of relying on an outsourcer for hardware or software development, or other functions.
"It's about conducting a solid risk assessment right at the outset in terms of: Does this make business sense for us? What are the risks? How can we mitigate against them? And does it still make financial sense for us to go forward?"
Durbin also advises that if a risk assessment determines that the risk of something going wrong is great, "then you probably need to pull back and say, 'Could we do this in-house? Do we need to be using a third party? Is there a way we might be able to shorten our supply chain and get more control over what's going on?"
In the interview, Durbin:
Defines the supply chain and the threats it poses to IT security and privacy; Discusses the integrity of hardware and software acquired and used over the supply chain; and Suggests ways organizations can mitigate supply chain vulnerabilities, including being more diligent in wording contracts with providers.Breach Concerns
Durbin also says many chief information security officers view breaches primarily as a threat to their organizations' reputations. He says CISOs at some large organizations have told him that when it comes to breaches: "We're not worried about ... the loss of data. What really can hurt us is how that is going to impact our brand. Is it going to destroy the trust that exist between the CISO and his enterprise, between the enterprise and the customer, between the enterprise and business partners?"
An independent, not-for-profit organization with members from some of the world's leading enterprises, the Internet Security Forum investigates, clarifies and resolves key issues in cybersecurity and risk management by developing best practices.
Business growth strategist Durbin joined the forum in 2009 after a three-year stint as chairman of the DigiWorld Institute, a British think tank comprising telecommunications, media and IT leaders and regulators. Durbin also spent seven years at the IT advisory service Gartner, where he served as group vice president worldwide.