Everyone needs to have Seven Critical Security Conversations with their vendors, supply chain partners, and other organizations who help with your security & resiliency posture. The wave of supply chain security conversations that was sparked by the Bloomberg articles has people talking (see The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies and related articles). The increased interest in supply chain security is important. It is feasible for threat actors to sneak in a backdoor, exploitable code, or some other secret tap. Just thinking about these threat vectors is a great source for a movie script. The problem is that reality is not a movie. While worries and concerns over this sort of threat vector exist, other more real threats exist. It does no good to pull in your vendors asking for answers on “if they are validating the design of their ASICs” when more basic security questions are yet to be answered.
There are seven Security Conversations that CIOs and CISOs need to have with their vendors. These security conversations help understand the security risk each vendor poses to your network. Your existing team can do this “risk discovery” (no need for security experts). It requires common sense, consistent time, and continuous dialog. These seven Security Conversations are listed in Demanding Security from your Vendors.
This Security Conversation Guide offers a simple and meaningful security conversation guide. These seven security conversations would help the organization determine the real security risk from their vendors. This is an updated version of a set of questions Operators (and vendors) can use to have these meaningful conversations. With it, anyone will learn how to demand security from your vendors.
Conversation 1 – Review the Vendor’s Vulnerability Management Process
Conversation 2 – Review the Vendor’s Security Development Lifecycle
Conversation 3 – Review the Vendor’s Healthy Interaction & Transparency
Conversation 4 – Joint Vulnerability Reaction Plan
Conversation 5 – Cryptography – The Toughest Questions
Conversation 6 – Review Industry Certification
Conversation 7 – Deep Supply Chain Security
The Security Conversation Guide is a living document. In version 1.5, we’ve added the 7th security conversation on Supply Chain Security. All the conversation questions are not designed to put anyone into an untenable position. All of the questions are a leading dialog for security expectations within the industry. The Guide helps the team under the CIO/CISO map the conversation, learn from the conversations, and build security action plans based on the conversations.
Are you looking for more practical, Critical Security Conversations?
- Subscribe to the Senki Community Mailing List. You can sign up for the mailing list for updates here: Stay Connected with Senki’s Updates.
- Subscribe to Senki’s YOUTUBE Channel for videos on this and other security topics.
- Ask questions to Barry Greene – bgreene@senki.org
The materials and guides posted on www.senki.org here are designed to help organizations leverage the talent around them to get started with their security activities. Start with the Operator’s Security Toolkit and Meaningful Security Conversations with your Vendors. Each is no-nonsense security for all Operators. It provides details to help them build more security-resilient networks. In the meantime, stay connected to the Senki Community to get updates on new empowerment and security insights.