It’s Who You Know

What if your new software arrives, you unpack it, install it, and find it infected with malware? Researcher Hart Rossman, who co-authored a cyber supply chain white paper in June, says cybersecurity teams are “probably not prepared to deal with it” because they tend to be focused on finding viruses.

In an article on the Information Week website, J. Nicholas Hoover says a new school of practice advocates a security approach that encompasses a whole lot more than just securing the perimeter of a computer system.

“That view [which draws the line at the firewall] fails to take into account the role of developers, vendors, customers, users, and others along the supply chain of IT systems, hardware, and software coming into the enterprise,” Hoover writes. Much like a manufacturing supply chain, managing a cybersecurity supply chain should cover product assembly and acquisition, data sharing, the security of IT systems and software, and everything in between.

Rossman and his colleagues at IT services firm SAIC worked on the June white paper with researchers at the University of Maryland's Robert H. Smith School of Business. He said few supply chain managers or supply chain risk managers have aligned their mission with their computer security center.

Jim Lewis, director and senior fellow of the Center for Strategic and International Studies’ technology and public policy program warned, “We’re no longer living behind a moat. It’s not just how secure you are, but how secure the people you connect with are as well.”

To read the article, please click here: