Can CISOs at smaller enterprises wield enough influence to square the third-party security circle?

News by Davey Winder

Persistence, consistency, & flexibility are the keys to driving security strategy in smaller enterprises. They must also be consistent about strategy & the next steps that need to be taken to improve security maturity.

The latest CISCO cyber-security report, The Security Bottom Line: How Much Security Is Enough? reveals a lot about the struggles facing CISOs as they juggle budgets, people, process and technology. Perhaps the most worrying statistic within the report relates to the influence that the CISO wields when it comes to third-party supply chain security; worrying, that is, if you happen to be the CISO at a smaller enterprise.
With an intent to explore how much money organisations should be spending, and where it should be spent, when it comes to security, the CISCO report posed these questions against a backdrop where enterprises have multiple security solutions in play yet still fall victim to a breach. With input from 80 security professionals, as part of a double-blind survey, the report attempts to outline the key factors for security success. It also succeeds in revealing the security struggles facing the enterprise CISO.
So, for example, 84 percent of those asked admitted they could afford only some of what they recognised as being the minimum amount of security needed to properly secure their business. That particular statistic also revealed something that becomes a theme as you delve into the report: smaller enterprises struggle the most. Of those with between 1,000 and 9,999 employees, only seven percent had the budget to buy all they needed. Hardly surprising, then, that 43 percent of enterprises also admitted to taking shortcuts when it came to incident response. One example given was the total wiping of infected systems rather than removing the malware alone.
Yet it's that smaller organisations imbalance that revealed itself over and over again, nowhere more so than when it came to dealing with third-party supply chain risk. The researchers found that CISOs at larger enterprises fare much better in this regard, while the smaller organisations which are often far more dependent on those external partners remain exposed to a far greater risk.
So, while 86 percent of enterprises with more than 10,000 employees reported they received threat intelligence regarding vulnerabilities and incidents from their third-party vendors and partners before they went public, when it came to smaller enterprises of less than 1,000 employees the figure dropped to just 60 percent. Similarly, 38 percent of enterprises with an annual security spend of at least US$ 1 million (£775,000) were "always able" to add security-related terms and conditions to their third-party supplier contracts compared to just 17 percent with a quarter of that budget or less.
Which leads to the question of how smaller enterprises can best counter this imbalance, especially given that they are the ones most likely to be dependent upon those external partners in the first place? How, in other words, can the CISO of a smaller enterprise wield enough influence to make a difference in the face of these statistics?
"The easiest way to exert influence on a supply chain is via information flow," Tim Mackey, principal security strategist at Synopsys CyRC (Cybersecurity Research Center) told SC Media UK. Mackey cites an example of a CISO implementing a procurement process which includes a security review of any binaries delivered as part of the contract. "This process would look for items such as the vendor’s track record with security disclosures, a deeper review of the binaries for embedded open source usage which can then be mapped back to potentially unpatched libraries," he explains, "and importantly for any third party API or web services used by the binary."
Armed with this information, the procurement officer can then make the contact contingent on detailed disclosure of the nature and process for addressing security issues in the identified risks.
"Effectively this process communicates to suppliers that the CISO is serious about security information flows and expects all suppliers to provider timely information on any issues impacting the products and services part of the contract," Mackey says, while admitting that this might not result in an ability to modify contract terms, but "the effort clearly communicates the value the CISO expects from the contract."
Persistence, consistency, and flexibility are the keys to driving security strategy in smaller enterprises, says Dan Pitman, principal security architect at Alert Logic. "Security leaders must persistently educate other leaders and management on the security landscape and news," Pitman continues, "find parallels in their industry and organisational size which are relatable."
They must also be consistent about strategy and the next steps that need to be taken to improve security maturity and try and drive changes in the organisation by being flexible with delivery teams, according to Pitman. "Try and find a new path of least resistance for them that benefits their processes but drives security thinking and maturity from the start," he concludes, "instead of fighting an uphill battle by starting at the operational end of the business."

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews