I got into a bit of a tussle on LinkedIn the other day when someone used the recent Citrix and Wipro cybersecurity beaches as evidence of the need for more comprehensive scanning of all kit given access to corporate networks.
“They should practice what they preach!” noted one comment. It occurred to me that both Citrix and Wipro are very large complex companies facing similar, ever-evolving cybersecurity challenges and vulnerability concerns to any large well-known company, including that of being a popular target. The quip comment prompted me to suggest that people seem to take a harsher line with vendors than end-user companies, perhaps understandably because their vulnerabilities expose their customers. But I questioned the validity of this stance.
Their customers, many of them large established brand name, international companies as well as national government services, are often the reason they are targeted. I suggested that we should expect them to be vulnerable and comprehensively work this into the risk assessment, the implementation of the supplier service and the relationship, and then work with them to better understand the overall opportunities for resilience. I’m not sure I attracted any sympathy for this thought, as the LinkedIn conversation went on to suggest that suppliers need to recognise their liabilities and generally ‘up their game or risk disappearing.’
I didn’t (and still don’t) disagree with any of the points that were being made, I just struggled to see the solution in the reproach. The post actually had very little detail about the breaches. A review of news reports suggest that one was the result of very sophisticated phishing attack and the other a growing trend known as ‘password spraying’ with both taking advantage of the people in the organisations – a layer of vulnerability that every CISO and risk manager admits they have yet to crack, whether they work for a vendor or not. I doubt that falling victim to such attacks is proof that they don’t ‘practice what they preach.’
Organisations today are the sum total of their partners and suppliers. As economies globalised companies initially evolved to focus on core competencies and collaborate with others on the rest. They are unrecognisable to what they were even 10 years ago driven by cloud services, distributed supply chains and market expansion. Prevailing wisdom from most management consultants suggests the evolution is set to continue with lines blurring between customer (particularly B2B), collaborator and supplier in organisations that are becoming multi-company ecosystems.
The risks that come with this ever-evolving complexity remains a key challenge with the Pulse CISO 360 community. At our 2018 Cyber Threat 360 Roundtable, security leaders questioned whether their assessments consider the cloud providers, their suppliers or their customers to all be a part of the vulnerability landscape under view. It wasn’t uncommon for participants to have to manage not just 3rd party access, but also 4th and more. All of this is being managed in a culture where companies are pushing to share or ease access to more information than ever. They recognised every new employee, software, and device across these relationships as representing an increase to the attack surface for every company involved. They had accounts to share of certificates, DLP solutions and more being out of date. They were all in it together.
Perhaps the most telling of the experiences came from the retail participants who revealed that their customers ensured that their competitor’s systems were a significant threat to their systems. Online shoppers in the main use the same password across their retail accounts. Hackers only need focus on one company to steal credentials that could apply to all. It’s not realistic to change consumer behaviour, while the business leaders operating in a very competitive market refuse to add friction to the online experience by insisting on more secure options. This thought takes me back to the reports of password spraying being behind the attacks on Citrix. Let’s surmise that an online retailer is a customer of a major cloud provider, and that bad actors are aware that retailers may represent a soft underbelly for the provider, which likely also hosts other high-value targets… Is it fair, appropriate, or constructive to conclude that the accountability sits with the cloud provider alone?
This is a tough question to answer. One that I suggest is made even tougher by the adversarial nature of traditional customer supplier relationships that are defined by contract terms rather than the context of what is being done. An obvious place to start was raised at the Pulse Talk to Board Conference last November where delegates called for vendors and providers, whatever their size, to do a better job of articulating their culture of security, and suggesting conversations take place around the general approach not just the contract on the table. They also admitted that one of the challenges in getting their arms around supply chain risk lay in the fact that the supply chain itself was too difficult to define. There is a clear need to acknowledge differing objectives across organisations and their impact on cybersecurity strategy. Vendors, suppliers, end-user companies, all need to toss out the ‘us and them’ mentality and change the conversation if they are ever going to really take stock of what needs to be done. Talk to The Board Delegates all agreed that getting it right represents a horizon of opportunity for the outward looking CISO.
Pulse will be continuing this conversation as part of its annual 3rd CISO 360 Congress in Rome June 19-21.
Join keynotes, case studies, group exercises and panel discussions in Rome to benchmark with fellow CISOs on how they are transforming their 3rd and 4th party cyber risk management programmes; how supply chain flaws become endemic; the supply chain in crisis and how to build resilience and governance across supply chains. Pulse facilitates a natural integration between inhouse practitioners, their supply chain and technology innovators – we are all part of the same jigsaw after all!
Learn more about how you can join us and contribute within a confidential, professionally-charged environment.