Recently, I was in New York City for the Evanta Global CISO Summit, to moderate a discussion on the business imperative of data security. During the conference, a wide variety of security and privacy topics were covered. I was able to speak with and hear from CISOs from all walks of life, all of whom are focused on confronting modern-day security challenges and pushing information security to new levels of importance. Fortunately, the conference organizers stress the belief that collaboration is the key to global security. Because of this, attendees feel comfortable being open and honest about a gamut of issues.
One of the many topics discussed at this year’s conference - and one that really piques my interest – is the increasing customer demands on CISOs for data security up and down the supply chain. So, I’m using this blog post to explore exactly what supply chain data protection means and provide high-level recommendations for CISOs looking to navigate this area.
Here’s a hypothetical: any business that is in the supply chain of a bank, for example, is under pressure to encrypt its sought-after data. Let’s say you have a bank that provides healthcare for its employees and has a relationship with a large healthcare insurance provider. The bank may have certain requirements for encryption and protection of customer and employee information. This secure information within the bank’s system extends into the IT system of its insurer, creating the supply chain connection.
I like to use a “pebble down the hill” analogy to bring this down to earth. Data security starts off as a small pebble rolling down the hill. As it gains momentum and mass, it becomes an overwhelming force, one that proactively compels companies to address the data security practices of its supply chain partners.
Real World Problems
At the Evanta conference, a CISO with a well-known company said he is increasingly being pulled into the sales team’s pursuits. Why? Because prospective customers are asking his company to clearly articulate its data protection policies and standards. The organization’s customers are not just asking for a one-time check-in-the-box for compliance and data security, but rather instituting periodic and regular reviews. The company must confirm and validate its data security practices more than once in order to satisfy customers and provide a more secure business relationship. The accelerated requests from the CISO’s sales teams have in turn prompted him to be proactive within his own supply chain and with his own vendors.
Two notable (and public) examples of supply chain attacks are those on Lockheed Martin and Target.
The Case of Lockheed Martin
In 2011, security provider RSA was breached and its SecurID database exposed. Several months later, defense contractor Lockheed Martin discovered an intruder in its network using legitimate credentials. Soon afterwards, RSA confirmed information taken from RSA was used as an element of this larger attack on Lockheed Martin.
The attack had major ramifications for RSA. Besides damaging the company’s reputation, RSA was forced to offer customers the option to replace SecurID tokens. Those customers included a number of high-profile government agencies and defense firms besides Lockheed Martin. Additionally, accusations flew about whether or not Lockheed Martin was being fully transparent with respect to the gravity of the breach.
If you’re wondering what hackers would have wanted with Lockheed, well…let’s just say the company manufacturers items that are pretty important to the U.S. military. We’re talking trident missiles, F-22 fighters and satellites that support high-priority wartime communications.
The Case of Target
In December 2013 and January 2014, Target disclosed hackers accessed 100 million debit and credit card accounts and personal information. If your first guess as to how this happened wasn’t “it must have been through Target’s HVAC partner!” you’re not alone. But in fact it was, making this a textbook example of a supply chain security breakdown. In September 2013, Target’s HVAC provider Fazio Mechanical Services was compromised by an alleged email phishing attack. It is believed network credentials issued by Target to Fazio were stolen during the attack. Shortly thereafter, the attacks on Target started.
Following Target’s initial disclosure, Fazio issued a statement saying it was in full compliance with industry practices. But, the damage had been done. Both Target and Fazio were slammed in the press for lax security practices, and Target’s stock plummeted. Additionally, Target fired its CEO in place at the time of the breach, Greg Steinhafel. Steinhafel had worked at the company for 35 years, and had served as CEO since 2008.
As we’ve said on multiple occasions, compliance is not enough. Which is why we’re seeing an industry shift towards implementing risk and security practices.
Real World Solutions
It is – nor has it ever been – in an organization’s best interest to avoid securing data. When data breaches occur, the subsequent erosion of consumer confidence has a direct effect on an organization’s bottom line. Organizations that do not respond put customer relationships and future revenues at risk. In this environment, doing the right thing to secure data is no longer a cost or a drag on the business. It is instead becoming an enabler to bolster—and in some cases strengthen— competitive position within highly competitive markets.
Protecting data throughout the supply chain provides an opportunity for security to be seen less as a tax and more like a competitive advantage. Organizations cannot ensure their customers’ private data will be secure unless the entire chain is taking appropriate security precautions – from the HVAC vendor on down.
Although there are many different ways CISOs can approach working with supply chain partners on data security, I’ve offered – based on my own experiences and the information gleaned during the Evanta Summit – a short list of “best practices” to keep in mind:
- Prioritize your key supply chain relationships. First and foremost, I recommend prioritizing your key supply chain relationship by assessing the type of data being passed and/or managed between you and your supply chain partner. Does the relationship involve PCI/HIPPA or personal information? Is the data exchanged between your supply chain partner and you covered under compliance and/or regulatory guidelines? Does the relationship involve the transfer and sharing of intellectual property and other proprietary information? Relationships involving regulated and/or highly sensitive information should be considered higher priority.
- Be proactive with your customers. Understand their emerging requirements for data security/protection of key application and solutions your company provides to them. While some organizations may be concerned with asking questions in fear of stirring the pot, addressing the data security requirements of your customers is imperative. It also takes time. Increased clarity provides a runway for your organization to plan and implement.
- Think about your own supply chain partners. On whom does your organization rely as a subcontractor or business partner? Not only must you meet the data security requirements of your customers, but your vendors are an extension of your enterprise and as such, are important links in the chain.
- Engage with your company’s business leaders to perform a risk assessment. This should be done in order to analyze top-line business risks inherent in not meeting the data protection requirements of your customers. Inputs include the remediation cost and timeframes. The end result should be a prioritized application and data security remediation plan.
- Begin implementation of the plan. Note the plan should not only include remediation of your own systems and data security plans, but also involve holding your vendors to necessary standards – thereby protecting all of the links in the supply chain.
There’s no time to waste. Developing and instituting a supply chain security will help ensure you don’t become a part of a national statistic, case study…or someone’s blog.