There are 7 Critical Security Conversations everyone needs to have with your vendors, your supply chain partners, and other organizations who help with your security & resiliency posture. The wave of supply chain security conversations that was sparked by the Bloomberg articles has people talking (see The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies and related articles). The increased interest in supply chain security is important. It is feasible for threat-actors sneak in a backdoor, exploitable code, or some other secret tap. Just thinking about these threat vectors is a great source for a movie script. The problem is that reality is not a movie. While there are worries and concerns over this sort of threat vector, other more real threats exist. It does no good to pull in your vendors asking for answers on “if they are validating the design of their ASICs” when there are more basic security questions yet to be answered.
There are 7 Security Conversations that CIOs and CISOs need to have with their vendors. These security conversations help understand the security risk each vendor poses to your network. This “risk discovery” can be done by your existing team (no need for security experts). It requires common sense, consistent time, and continuous dialog. These 7 Security Conversation are listed in Demanding Security from your Vendors.
This Security Conversation Guide offers a simple and meaningful security conversation guide. These 7 security conversations would help the organization determine the real security risk from their vendors. This is an updated version of a set of questions Operators (and vendors) can use to have these meaningful conversations. With it, anyone will learn how to demand security from your vendors.
Conversation 1 – Review the Vendor’s Vulnerability Management Process
Conversation 2 – Review the Vendor’s Security Development Lifecycle
Conversation 3 – Review the Vendor’s Healthy Interaction & Transparency
Conversation 4 – Joint Vulnerability Reaction Plan
Conversation 5 – Cryptography – The Toughest Questions
Conversation 6 – Review Industry Certification
Conversation 7 – Deep Supply Chain Security
The Security Conversation Guide is a living document. In version 1.5 we’ve added 7th security conversation on the Supply Chain Security. All the conversation questions are not designed to put anyone into an untenable position. All of the questions are a leading dialog for security expectations within the industry. The Guide helps the team under the CIO/CISO map the conversation, learn from the conversations, and build security action plans based on the conversations.
Need Security Advice?
If you find your organization needs help and worry about the FUD from the industry, reach out and ask for help. You can reach me at bgreene@senki.org. Help organizations leverage the talent around them to get started with their security activities. Start with the Operator’s Security Toolkit. It is the no-nonsense security for all Operators. It provides details to help them build more security resilient networks. In the meantime, stay connected to the Senki Community to get updates on new empowerment and security insights.