#RSAC Interview: ISACA Discusses its New Supply Chain Report

This week, ISACA released its Supply Chain Security Gaps: A 2022 Global Research Report, which received responses from more than 1300 IT professionals with supply chain insight. Worryingly, 25% of respondents admitted that their organization experienced a supply chain attack in the past 12 months. Meanwhile, over half (53%) expect supply chain issues to stay the same or worsen over the next six months.

Another concerning finding from the global survey was that 30% of respondents believe their organizations’ leaders do not have a sufficient understanding of supply chain risk. Additionally, under half (44%) indicated they have high confidence in their organization’s supply chain security, with the same percentage having high confidence in the access controls throughout their supply chain.

The top five supply chain risks cited by the IT professionals were ransomware (73%), poor information security practices by suppliers (66%), software security vulnerabilities (65%), third party data storage (61%) and third-party service providers or vendors with physical or virtual access to information systems, software code or IP (55%).

To gain a deeper perspective on these findings and what it means for supply chain security more generally, Rob Clyde, past ISACA board chair, NACD Board Leadership Fellow, and executive chair of the board of directors for White Cloud Security, spoke exclusively to Infosecurity during the RSA Conference 2022.

Were you surprised that 25% of respondents said their organization experienced a supply chain attack in the past 12 months?

That is the figure that surprised me; I did not think it would be that high. Obviously, many organizations have experienced attacks in the past 12 months, but I didn’t think so many would be attributed back to the supply chain. It definitely shows that this is a growing problem, although I want to emphasize it’s not a new problem. The idea that you have vulnerabilities because of one of your supplier’s products has been around for a long time, but there’s been an increased focus on figuring out how to tackle that.

Are you encouraged that more organizations recognize the threat of supply chain attacks?

I think the attention that’s being put on it by organizations is encouraging. More importantly, the vendors who are part of the supply chain are taking it very seriously. However, I do think you can fall into some traps and go into a mode of going down a legal path with huge questionnaires, which is not the right approach for managing the supply chain.

Rob Clyde, past ISACA board chair, NACD Board Leadership Fellow, and executive chair of the board of directors for White Cloud Security
Rob Clyde, past ISACA board chair, NACD Board Leadership Fellow, and executive chair of the board of directors for White Cloud Security

What are your thoughts on the figure that 30% of respondents believe that their organization’s leaders do not have a sufficient understanding of supply chain risk? Why do you believe this is the case?

We’re specifically talking here about the software supply chain. Think about when you get a software product; how do you know what else is in that product? It’s not only built with that company’s proprietary code; it’s probably got open source and other libraries and code in it that came from other companies. Therefore, it is key to include an inventory, a bill of materials. That way, when it emerges that a piece of open source has this bug, you have a way of seeing what other products have that bug. Just by quickly asking that question and getting an answer, you’re going to be sorting through several different suppliers.

How can organizations gain a better understanding of supply chain risks?

I am a big fan of learning from the community – come to events like RSA and look to non-profit organizations like ISACA that provide security training and intellectual webinars on this subject. One of the things that shows up is that organizations with people who have certifications like ISACA’s CISA® certification on the IT auditing side have a reduced supply chain risk. Taking a certification does show a certain level of dedication and learning.

What were the biggest takeaways from the report regarding how organizations should improve their supply chain security?

One is being cautious about increasing the number of questions you ask vendors. How are you going to plow through all of those things? A few key ones work better. These should focus on a better understanding of processes, particularly around security, that a supplier organization uses. For example, do they have software composition analysis?

Additionally, many vendors are doing pen tests on their products, so you should ask for the pen test report. Also, many are running through static and dynamic application security testing. Those kinds of tests need to be part of the process, asking for something that demonstrates the security of their product beyond questionnaires. That would encourage vendors to not just mouth the words’ DevSecOps,’ but actually demonstrate they are doing it.

Were there any other aspects of the report that surprised you?

The other parts of the survey were kind of what I was expecting. There was no surprise that ransomware was the top concern. So I saw much validation that we are more concerned about the supply chain than before, and we understand that one of the key risks is ransomware. We are still in the early stages of being able to manage our supply chains, and vendors are still in the early stages of providing the necessary information to make it easier to manage our supply chains.

Were there any positive aspects of the report?

In many ways, the report is a little pessimistic, and that’s a fair reflection. When you think about it, as a world, we’ve been hit between the eyes on the supply chain problem over the past year. On the positive side, we realize we’ve been hit between the eyes, and most organizations, both on the supply and consumption sides, are aware of this problem and trying to figure out what to do. The challenge is choosing the right things to do and not wasting time doing things that aren’t going to be helpful.

What’s Hot on Infosecurity Magazine?