Securing information and communications technology supply chain

April 5, 2022

April is National Supply Chain Integrity Month.

In partnership with the Office of the Director of National Intelligence (ODNI) and other government and industry partners, the Cybersecurity and Infrastructure Security Agency (CISA) is promoting a call to action for a unified effort by organizations across the country to strengthen information and communications technology (ICT) supply chain.

The ICT supply chain powers national security missions, critical infrastructure sectors and private industry security and innovations. As more organizations undergo digital transformations to streamline operations, the supply chain becomes more complex and interconnected, encompassing the entire lifecycle of ICT hardware, software, and managed services and various entities — including third-party vendors, suppliers, and service providers. Adversaries target third-party vendors and suppliers for this very reason, representing a way to target the government and critical infrastructure.

Acting CISA Assistant Director Mona Harrington says, “Government and industry must continue to work together to protect our critical infrastructure and the associated supply chains that underpin the very fabric of our nation and economy.”

Here are a few steps organizations can take to enhance the security and resilience of their ICT supply chain, according to security leaders:

Jasmine Henry, Field Security Director at JupiterOne: There is no solution currently, only tactics to reduce risk. Using knowledge graphs to map critical asset dependencies on third-party code is helpful. Software bill of materials (SBOMs), vendor consolidation, and retiring legacy systems can also mitigate supply chain risk.

Joseph Carson, chief security scientist and Advisory CISO at Delinea: At the moment, the global supply chain is extremely fragile. Organizations have less control and visibility over the actual security that supply chains have put in place. For the most part, this tends to only be covered in legal contracts rather than a true security risk assessment. Organizations must prioritize privileged access security to reduce the risks exposed in their supply chain security.

Yaniv Bar-Dayan, CEO and co-founder at Vulcan Cyber: It is unfair to blame the software supply chain vendor considering how bad actors often use known, unaddressed vulnerabilities that IT security teams should have mitigated well before the software supply chain hack became a reality. Cybersecurity teams need to do more than just scan for vulnerabilities. We need to work together to better measure, manage and mitigate cyber risk, or we will be crushed by a growing mountain of vulnerability debt.

Throughout April, CISA will promote resources, tools, and information, including those developed by the public-private ICT Supply Chain Risk Management (SCRM) Task Force, to help organizations and agencies integrate SCRM into their overall security posture. To view online resources, visit CISA.gov/supply-chain-integrity-month.

Maria Henriquez joined Security Magazine in 2019 as its Associate Editor. Since then, she has been covering the security industry and reporting on issues affecting enterprise security leaders, to include cybersecurity, leadership and management, risk and resilience and pressing security challenges facing the industry. Within her role at Security, she works to produce several Special Reports and other stories for the monthly eMagazine, Newswire articles, Web Exclusive features, as well as manage social media, the 5 minutes with series, and the Today’s Cybersecurity Leader and Security enewsletter. She graduated from the University of Illinois at Urbana-Champaign with a bachelor’s in English and Creative Writing.

Ransomware and the propulsion of the extortion economy has rapidly eclipsed into a national priority. Recently, we observed the catastrophic impact of a widescale ransomware attack impacting gas pipelines and raising national gas prices overnight.

Security departments have long struggled to bring their real-time voice communications into the present, resorting to communicating with radios, unsecure applications, multiple devices, and Wi-Fi-only solutions.

Poll

Business Travel Security

View Results

Poll Archive

Products

Effective Security Management, 7th Edition

Effective Security Management, 5e, teaches practicing security professionals how to build their careers by mastering the fundamentals of good management. Charles Sennewald brings a time-tested blend of common sense, wisdom, and humor to this bestselling introduction to workplace dynamics.

See More Products

Securing information and communications technology supply chain

Recent Articles by Maria Henriquez

US, EU expand access to cybersecurity tools for SMBs

Buffalo mass shooting investigated as racially motivated violent extremism

COBALT MIRAGE conducts ransomware operations in US

Five years after the WannaCry ransomware attack

SolarWinds data breach lawsuit takeaways for CISOs

Get our new eMagazine delivered to your inbox every month.

Stay in the know on the latest enterprise risk and security industry trends.

Securing information and communications technology supply chain

Recent Articles by Maria Henriquez

Related Articles

Get our new eMagazine delivered to your inbox every month.

Stay in the know on the latest enterprise risk and security industry trends.