Skip to main content
close search
site logo
Dive Brief

CISOs call for holistic enterprise approach to third-party security risk

Published April 21, 2021
David Jones's headshot
Reporter
Philipp Katzenberger for Unsplash

Dive Brief:

  • Following the SolarWinds supply-chain attack, as well as recent nation-state attacks like the 2017 NotPetya campaign, corporate risk officials need to take a more holistic approach in how they protect themselves against third-party risk, according to a panel of information security officers and other cybersecurity officials at the Shared Assessments summit last week. 

  • Companies need to build operational resilience across the entire spectrum of security, evaluating everything from business continuity policies to physical security, operational security and environmental sustainability, according to Edna Conway, VP and chief security & risk officer, Azure at Microsoft, speaking during the summit.  

  • "I think an architecture that blends these two [security and resiliency] is something we all need to move to and SolarWinds was but one example of why we need to look at ourselves holistically, internally and across our third-party ecosystems," Conway said.

Dive Insight:

The rise in supply chain threats has forced thousands of companies around the U.S. to reassess their risk posture, as threat actors have taken advantage of vendor relationships and privileged access to open up new vectors of attack against targeted customers.

What has emerged in recent cyber campaigns, including NotPetya, the 2017 CCleaner hack and now SolarWinds, is that the new threat vector is to compromise a company's product in order to then attack its customers, according to Dawn Cappelli, VP and CISO at Rockwell Automation, a manufacturer of industrial control products.

"What was new about SolarWinds was the way that they attacked the development environment," Cappelli said. "They didn't just go into the source code repository and tamper with the code, they had a very specific target which was the build environment itself. And we've never seen that before."

Rockwell Automation is conducting risk analysis and threat models of its build environment and has formed a working group with other companies to review. The company has also started asking more questions of critical suppliers that may pose a potential threat to the company.

Companies have recently stepped up assessments and monitoring of third-party vendors, demanding extensive compliance checklists, questionnaires and using other screening methods. 

However, this approach is not always considered an efficient method of ensuring safety. Companies should not become overly reliant on annual assessments with thousands of questions, according to Erinmichelle Perri, CISO at The New York Times. 

"If we look at SolarWinds, what saved us was strong security programs, not 4,000 questions that the vendor had to answer about the state of their security programs," Perri said. 

She much prefers using a centralized source like Security Scorecard or Bitsight, in order to get real-time information. 

Filed Under: Strategy

Editors' picks

Company Announcements

View all | Post a press release
DigiCert Unveils 2025 Security Predictions
From DigiCert
November 21, 2024
Nile Adds Industry’s First Campus Zero Trust Delivered As a Service
From Nile
November 21, 2024
TrustNet Named 2024’s Best Compliance Advisory and Audit Firm at CDM’s Annual Top InfoSec Inno…
From TrustNet
November 06, 2024
Fathom5’s ARIA Technology Joins NSIN Propel Maritime Digital Defense Accelerator
From Fathom5
November 18, 2024
Editors' picks
Latest in Strategy
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell