C-SCRM and the C-Suite: Securing Executive Buy-In for Supply Chain Risk Management

This blog was originally published by CXO REvolutionaries here.

Written by Brad Moldenhauer, CISO, Americas, ZScaler.

Unfortunately, it's not enough for today's IT leaders to concern themselves with the security of their own organizations. Complex and convoluted supply chains have seized their attention in the wake of attacks like those against vendors including Kaseya and SolarWinds.

It’s clear now that data loss, reputational damage, and remediation costs are business risks stemming not only from an organization’s own assets, but also from those belonging to vendors whose products and services it has enlisted.

Organizations like NIST are responsible for developing security standards and guidelines for enterprise IT organizations and federal information systems. Their latest guidance, published in May 2022, focuses on the importance of implementing cybersecurity supply chain risk management (C-SCRM) practices by applying an integrated multilevel approach company-wide, beginning with the C-suite.

Additionally, in 2021, the National Telecommunications and Information Administration (NTIA) released its minimum elements required for software bills of material (SBOM) to help outline ingredients included in any open-source software companies may rely on.

Both releases underscore the dangers presented by supply chain attacks and potential avenues for redress.

How the software supply chain undermines security

What makes supply chain attacks so insidious is that attackers can reside undetected on enterprise networks for months before launching large-scale, strategic attacks that affect thousands of companies worldwide. Then, attackers will continue to prey on organizations that fail to effectively mitigate an often overlooked attack vector – the software supply chain.

Organizations depend on digital tools to connect suppliers, materials, and products in a global market. However, the increased number of software solutions creates an environment riddled with cybersecurity vulnerabilities. The evaluation of software solutions needs to account not only for the business benefits and outcomes it purportedly will provide, but also for what type of processes are in place to support a secure software development lifecycle (SDLC), DevSecOps capability, software bill of materials (SBOM), open-source security checks and balances, and others. Minimum viable product will get you maximum security exposure. As an industry, cybersecurity solution providers need to be the model when it comes to our product development and security practices to the point that ubiquitously makes it economically irrational for an attacker to plan the next Solarwinds, Kaysaya, or NotPetya software supply chain attack.

Due to the nature of software development, a significant number of these solutions are comprised of software created by freelance and volunteer engineers without oversight and no impetus for considering security. According to the Atlantic Council, “at least forty-two attacks or vulnerability disclosures involved open-source projects and repositories” between 2010 and 2021.

The modern business is software-enabled, and a quick glance at your smart device application inventory suggests that today every company is a technology provider. This is where organizations need to minimize the divide between the corporate information security program and product security team. If these two functions are not collaborating, a potential gap exists in a business understanding of controls because a corporate security event could create a product security event, whereby a business risk impacts customers and potentially society writ large.

Corporate information security and product security should be inextricably linked, which I believe is a form of business maturity that has a positive impact throughout the supply chain. This ensures a broader and collective focus on minimizing lateral movement, reducing attack surface, and implementing strict identity controls with every piece of software they employ and provide. Preventing software supply chain attacks requires shifting security left and validating the provenance of code before incorporating it into production releases for market release.

Cybersecurity supply chain risk management best practices

Managing supply chain cybersecurity risks is a complex undertaking for any organization. It requires a transformation of company culture towards risk assessment, especially when it comes to the impact of cybersecurity vulnerabilities.

It’s important that stakeholders inside and outside the enterprise communicate and take action toward effective C-SCRM practices. Senior leadership roles set the tone for the organization’s stance on cybersecurity and should be actively involved in developing company-wide C-SCRM.

NIST recommends a strategic cybersecurity approach integrated with enterprise-wide risk management processes. This process includes the following steps:

• Frame risk by establishing the contextual requirements for risk-based decisions, understanding the current state of the enterprise’s systems, and addressing vulnerabilities associated with supply chains.
• Assess risk by reviewing threats and understanding the possible outcomes of an attack, the level of vulnerability the enterprise faces, and the likelihood of a high-impact cyber attack.
• Respond to risk with strategic mitigation protocols based on the findings of the risk assessment research.
• Monitor risk exposure and the effectiveness of C-SCRM practices by tracking IT changes, supply chain updates, and enterprise communications with a feedback loop for continuous improvement.

Enterprise executives, together with expert advisors, should design a tailored C-SCRM plan for the unique needs of their company by following these continuous and iterative steps. By committing to ongoing improvement, organizations can use these guidelines to adapt to emerging threats and better respond to organizational changes. And rather than eliminate risks, C-SCRM focuses on managing the inevitable risks involved with today’s digitally-infused business models.

Benefits of C-SCRM for enterprise

Enterprises rely heavily on digital technologies to manage operations and be a part of the global supply chain network. With so much depending on digital tools and software, cyber risk is business risk. Cybersecurity enables organizations to use necessary business enablers securely by minimizing risk factors associated with supply chain software and technology.

Establishing C-SCRM capabilities benefits enterprise organizations by:

• Promoting understanding of which assets are most susceptible to weaknesses and vulnerabilities within the supply chain.
• Reducing the likelihood of a data breach given an enterprise’s enhanced ability to detect, respond, and recover from disruptions and cyber incidents.
• Enhancing efficiency and alignment with business goals by streamlining cybersecurity and risk management processes.
• Improving outcomes when products and services are procured, transported, and manufactured via a secure, resilient supply chain
• Ensuring suppliers, service providers, technology services, and other third parties can be trusted to meet performance requirements.

Without executive alignment, it’s all for naught

It’s crucial that organizations understand the business impact of cybersecurityvulnerabilities – including financial, operational, and strategic risks – presented by inevitable supply chain entanglements. C-SCRM is a systematic approach to protecting enterprise data that integrates cybersecurity with risk management practices throughout the supply chain. It allows an enterprise to monitor cybersecurity risks and activities that span the entire development lifecycle, throughout the supply chain, and within their organization.

But without support from key roles, cybersecurity efforts are not likely to be well received within the organization. C-SCRM requires oversight, direct involvement, and ongoing support from senior leadership and enterprise executives.