Page 87 - Cyber Defense eMagazine April 2021 Edition
P. 87

Although this step can eliminate working with truly unsafe vendors, due diligence can go something
          like this:


          Q: Do you make terrible security mistakes?
          A: We do not.
          Q: Do you lock your doors?
          A: We do.

          There are varying degrees of vigor, but by and large, they’re pretty straightforward. They can be an effective
          way of performing due diligence, but in the end, does vendor screening by itself get you to increased
          security? Can you be assured of your safety?


          There is no single-threaded solution to risk; you need to do more.

          Keep in mind that there is no perimeter anymore; we are all zero trust now whether we are prepared or not.
          It’s important to note that risk cannot be eliminated. It’s inherent in doing business and can only be mitigated.
          The question is this: what steps can organizations take to minimize risk from their third-party vendor pipeline?
          It’s safe to assume that, even after doing your due diligence and vetting your supply chain, someone is going
          to be compromised. Assuming this to be true and covering all of your bases fully expecting such a
          compromise will put you in the best position.

          TWO: Balance of security and vulnerability

          It’s simply impossible to do business now without using multiple vendors expanding your risk profile
          dramatically. Everyone is doing their best to mitigate security issues with due diligence and supplier
          management processes, but the problem is that there are a million applications. All of them could have some
          sort of security issue and many could be in use in your environment.

          Security is a business enablement function but my instinct is not immediately to support productivity as a
          singular goal.It’s to reduce risk by finding a balance between productivity and risk. Know what your business
          needs to maximize its productivity and effectiveness, but also understand your tolerance for risk. What can
          the business accept and what can it not? This can form the basis for making informed decisions about
          supplier risk.

          THREE: Real risk mitigation is in the basics

          Nobody is excited about this problem. There is absolutely no one announcing with pride their Computer
          Science major in Supplier Security Management.


          So many people go into security thinking: “I’m gonna hack the planet and pen test everything,” —and there
          is real value there— but often the best security is found in more mundane activities. Do I know what is in my
          vendors’ change logs? How quickly can I evaluate and patch 100 applications . . . or a 1,000?

          These are not exciting questions; they don’t have an inherent sense of drama. But they are critical questions.


          So what do you do, assuming that of your hundreds of vendors, at least some will have a breach in the next
          year?

          You focus on the fundamentals:
          •      asset management
          •      identity and access management
          •      vendor due diligence and annual review
          •      robust and timely maintenance
          •      vigilance


             87    Cyber Defense eMagazine – April 2021 Edition
                   Copyright © 2021, Cyber Defense Magazine.  All rights reserved worldwide.
   82   83   84   85   86   87   88   89   90   91   92