Hackers implanted malicious code into the software-build process of SolarWinds’ Orion products in order to compromise customers’ Orion services using a backdoor and steal their data.
Speaking on a Dec. 23 Webinar, Jim Routh, chief information security officer (CISO) of MassMutual, called the SolarWinds hack “a shift in the tectonic plates of cyber-security.” He recommended companies and organizations think about what steps they can apply immediately from a cloud supply chain risk management standpoint. “This is a wake-up call for the enterprise,” he said.
Here are five things companies can, and should, do right now:
Start by having the right conversations. “The bottom line is that we’ve been having the wrong conversations,” said Bob Brese, vice president and executive partner at Gartner and former chief information officer (CIO) for the U.S. Department of Energy. Many conversations CIOs and CISOs have with the C-suite and the board focus on solving technical problems, rather than managing risk, he said.
“Not all vulnerabilities are created equal,” Brese added. In today’s cloud supply chain, for example, it may be that monitoring a fourth- or fifth-party relationship (so called Nth parties) takes precedence over reducing the number of vulnerabilities that are unpatched in a system, especially one that isn’t carrying proprietary information that needs to be kept confidential or secret. It’s all about having the right conversations around what are the most critical aspects of your ecosystem, Brese said.
The C-suite and the board don’t have to be as technically competent as IT and cyber-security professionals, but they must be knowledgeable about the company or organization’s risk posture and where attention needs to be focused from a cloud supply chain risk management standpoint. “That will at least allow you to start to draw a line in the sand on what your organization’s risk appetite is on a day-to-day basis,” Brese said.
“With that, the CIO and CISO can make a lot of progress on securing the enterprise and managing fourth- and fifth-party relationships,” Brese added. “Those are hard conversations to have, because a lot of folks just haven’t given it much thought.”
Focus on building resiliency into the fabric of the enterprise. A key part of the conversation the C-suite and board should have with the CISO and CIO should focus on how to build greater resiliency into the development, security, and operations (DevSecOps) pipeline. “Those are healthy conversations to have,” Routh said.
At the foundational level, it starts with robust software management: “Repository management is a big deal, not a little deal,” Routh said. It must be treated like a third party, requiring its own unique and specific set of controls, and software developers must be educated on making that more resilient, he said.
“The use of cloud services is going to continue to accelerate. Real-time, data-informed decision-making is critical.”
Bob Brese, VP and Executive Partner, Gartner
Technical jargon aside, think of it from a risk management standpoint: All companies and organizations use software. Software developers, in turn, increasingly rely on open-source components that are hosted by an Nth party—a cloud-service provider. Thus, just in the scope of using software, most companies are dealing with third, fourth, and fifth parties as part of a single ecosystem.
“The entire supply chain is now tied to the development process,” Routh said. That creates a tremendous amount of risk for companies that demands a tighter set of controls and higher levels of scrutiny to manage in this new environment where cyber-criminals are only getting more sophisticated.
Baking controls into the ecosystem at the design stage helps to drive down IT costs, as well. “Doing it right the first time costs less than fixing a big problem downstream,” Routh said.
Do not ignore basic cyber-security…