Ask any CISO what their job entails and they are likely to respond with a common mantra: Assess IT risk, communicate IT risk to business executives, and then create and execute a mutually agreed upon plan to address risk.
In the past, CISOs concentrated this effort on internal IT but this internal focus is becoming increasingly myopic because:
1. Outsiders have network access. Enterprises regularly grant network access to business partners, suppliers, and customers.
2. "Shadow" IT is on the rise. Employees, functional departments, and business units are eschewing homegrown apps for SaaS offerings while IT moves internal systems to cloud-based infrastructure.
3. Multi-site Web-facing applications are extremely vulnerable. This problem goes beyond application vulnerabilities and SQL injection attacks. If you host an ad network on your site (or your linked business partners host an ad network on their site) you will likely have a "weak link" somewhere in the chain.
In aggregate, these issues are part of a greater problem - cyber supply chain security. To be clear, the term cyber supply chain security encompasses any organization or person that supplies, uses, or connects to your organization's IT systems, networks, services, and applications. This includes hardware/software suppliers, VARs, business partners, contractors, etc.
In this context, the cyber supply chain has a profound impact on risk management. CISOs really need to assess risks associated with every aspect of the cyber supply chain and not just those they can actually touch within their networks. Obviously, this makes risk management a lot harder and we haven't found a good solution yet.
Many CISOs address cyber supply chain risk with annual IT security "audits" of selected partners. These "audits" usually are based upon some written checklist that some but not all partners are asked to respond to on an annual basis. It's pretty easy to see the fatal flaws here. Audits are conducted on select partners while some or even most 3rd parties with network access get a free pass. SaaS and cloud providers may or may not be included. Finally, "audits" are done annually so there is no visibility into real-time risk as things constantly change.
Clearly this model isn't right so what can be done? CISOs should simply emulate what they are doing internally - continuous monitoring of their internal networks so they can assess and address new risks as they arise. In fact, DHS extended continuous monitoring with a program called Continuous Diagnostics and Mitigation (CDM) that extends to risk alleviation. What's more, the GSA has negotiated Blanket Purchase Agreements (BPAs) with 17 firms including Booz Allen Hamilton, CSC, IBM, Lockheed-Martin, and Northrop-Grumman to supply CDM professional and managed services. Obviously, the feds think there is great value here.