“Business thinks IT has a crystal ball, but the truth is the CISO doesn’t always know what’s going on.”
#3 Digital supply chain risks
Businesses have become increasingly dependent on their digital supply chain, to the extent that if a critical vendor like Salesforce, Microsoft or Amazon were to crash some firms would have no recourse.
"Does your organisation really understand the risks associated with your vendors?" Furtado asked.
More to the point, do your teams understand the risks they are associating with your business by bringing new tools into the organisation?
Action plan:
- Develop a joint governance model with business stakeholders, who need to understand the risk of making some decisions.
- Classify major digital supply chain partners by their importance to the business.
- Require regulated or high-risk partners to provide evidence of security best practices. Anyone can say they're ISO27001 certified or have a SOC2, but sometimes those are exaggerations at best. Look at their security reports.
- Build detection and resilience capabilities for mission-critical supply chain partners, i.e. Salesforce.
"If a vendor tells you they'll inform you of any security risk in your environment, you say 'No - tell me of any risk in your environment.'"