Evaluating and Reducing Supply Chain RiskVikram Asnani of CyberGRX Says the Supply Chain Is a Top Concern
Attacks on software supply chains can be difficult to detect yet devastating if one has occurred. But organizations can take steps to limit the risk from their suppliers, says Vikram Asnani, senior director of solution architecture with CyberGRX.
Third-party suppliers may send a certificate of assurance when questioned about their controls, but that's not good enough, Asnani says. The certificate is "just an attestation that someone has done it, and you're relying on that blindly," he says.
The biggest risks come from the long tail of suppliers that are likely never queried about their own cybersecurity practices. But there are detectable warning signs.
Asnani says an example would be if a supplier has a patch management program in place but doesn't have visibility over all of their assets or if a supplier has a SIEM but isn't collecting logs.
"Those are key red flags that people can quickly identify," Asnani says.
In this video interview with Information Security Media Group, Asnani discusses:
- What risks organizations face from their supply chains;
- How organizations can ensure suppliers are meeting baseline security controls;
- Why potential supply chain security problems may be missed.
Asnani has 15 years of global experience in assisting clients across risk management, cybersecurity strategy, third-party risk, cloud migration, business continuity and data privacy, through advisory and managed services offerings with a motto of using technology as an innovative solution for driving maturity. He is currently a solution architect for CyberGRX.