My longtime friend Jim Ball, CISO of the Western Area Power Authority, sent me an interesting article from SC Magazine this week. It described a report by the cybersecurity services company BlueVoyant. The report was based on a survey of CISOs in five countries, although this version of the report discussed mainly the US results. The CISOs were in a range of industries, including “utilities and energy”.
The article had some pretty striking findings, so being
skeptical of them, I downloaded
the report itself. I found it was based on a survey of over 300 CISOs in all
industries, and it seems to be credible. Among the most interesting findings
were (quoting from the article):
·
“92 percent of U.S. organizations suffered a
breach in the past 12 months as a result of weakness in their supply chain.”
The report didn’t say exactly what form these supply chain breaches took, which
was disappointing but doesn’t indicate the report shouldn’t be believed.
·
“When four other countries (the U.K., Singapore,
Switzerland and Mexico) are included in the research, 80 percent of the more
than 1,500 CIOs, CISOs and CPOs suffered a third-party-related breach in the
past 12 months.” So it seems the US isn’t alone in having this problem.
·
“ ‘Time and again, as organizations investigate
the sources and causes of malicious cyber attacks on their infrastructures,
they discover that more often than not, the attack vector is within the
infrastructure owned by third-party partners,’ said Debora Plunkett, who sits
on the BlueVoyant board of directors and was formerly the NSA’s director of
information assurance.”
·
“A third of the survey respondents said they had
no way of knowing if a risk emerged in a third-party’s operations, while only
31 percent said they monitor all vendors, and only 19 percent monitor just
critical vendors. (According to the report, U.S. organizations use an average
of 1,420 vendors.)”
·
31% of US survey respondents monitor all of
their vendors. 19% monitor just the most critical vendors. 33% don’t monitor
their vendors at all.
·
Only 42% of respondents said they work with
their vendors to fix problems they have identified, which is interesting. If
you know an important vendor has security problems, why wouldn’t you at least
follow up with them to see how they are coming on fixing them? That’s the best
way to make sure they do something about the problems. Simply requesting that
the vendor do something – whether in contract language or just by a phone call –
doesn’t in itself mitigate any risk. The vendor has to do what they said they’d
do. Maybe you won’t be able to get them to keep their promise, but you need to
try (and BTW, not following up could result in a CIP-013 violation).
·
On the other hand, 86% of respondents said their
budgets for third party risk management were increasing. Which is good, of
course.
Any opinions expressed in this
blog post are strictly mine and are not necessarily shared by any of the
clients of Tom Alrich LLC. If you would like to comment on what you have read here, I would
love to hear from you. Please email me at tom@tomalrich.com.
No comments:
Post a Comment