Social Network For CISO (Chief Information Security Officers)
At CISO Platform Annual Summit 2017, we had a panel discussion on the topic of Best Practices In Security Procurement, including industry stalwart like K S Narayan (CISO, PWC), Gaurav Batra (Information Security Officer, Mondelez International), Ganesh Viswanathan (SVP-Quality & Compliance; CISO & CPO, Quatrro), Sanil Anand Nadkarni (AVP & Head Information Security, SLK Global Solutions), Dilip Panjwani (Director-Information Security, FIS Global), and Subramanya Gupta Boda
Key Learning - Learning from Recent Global Security Breaches
1- One of the critical vectors for the cyber-attack is through the supply chain.
2- Breaches are increasing in terms of complexity, volatility, ambiguity and severity.
3- Through backdoors built into hardware or rogue codes inserted in to software or through compromised sub components or components that get surreptitiously into supply chain from lower tiers (mostly 3rd tier or 2nd tier suppliers) the integrity of critical elements get compromised.
4- The recent “A Monitor Darkly” attack involving Dell monitors where the display controllers are exploited to manipulate and snoop on the screen content is a manifestation of a compromised supply chain.
5- Risk management should become an integral part of Supply Chain governance. We need to institutionalise a multi stake holder Risk Assessment process of the end to end Supply Chain. The cyber risk has to be evaluated from the start.
6- Due diligence of new suppliers should be done and regular audits to be conducted as part of supplier quality assurance.
7- Cyber procurement should be linked to the organisational priorities and align with the purpose. The investment should be scalable & integration should be feasible.
8- We should obtain user reviews through peers or through crowd sourcing market intelligence to evaluate the pros and cons of the investment