The latest research shows that more than 80% of organizations have experienced a data breach as a result of security vulnerabilities in their supply chains. It’s crucial that all companies understand the risks that can live inside their supply chain and foster a culture of organization-vendor cross-collaboration to be able to prevent and minimize the risks. This is where CISO leaders like Lena Smart step in.
Lena Smart is the CISO at MongoDB and has more than 20 years of cybersecurity experience from fintech to the New York Power Authority, the largest state power organization in the country. More recently she has worked on supply chain risk management at a few government agencies, Scissor and at SCC which has given her a bird’s eye view of how we can tackle this problem. Furthermore, in light of the SolarWinds hack, Lena believes that it is more important than ever to create a secure environment within the US and globally.
So how do we secure our supply chains?
Businesses need to understand the different moving parts and highlight the risks with each supplier. Supply chain information risk management should be embedded within existing procurement and vendor management processes. The real key here is to share the information with your peers and customers to ensure everyone is secure.
Lena’s past experience working in a power plant really hammers this home. Critical infrastructure takes the supply chain more seriously especially if you are building a power plant, nuclear power plant, or even a Hydro plant. You have to be aware of the provenance of each piece of equipment that comes into the building right down to the screws. Plus, the Federal Government has over 13 policies that you have to adhere to including training and code integration to secure the power industry.
The supply chain as a whole is only truly secure when all entities throughout the supply chain carry out effective, coordinated security measures to ensure the integrity of supply chain data, the safety of goods, and the security of the global economy.
So how do SaaS companies fit into this risk?
MongoDB works with a number of SaaS companies and to a certain extent businesses can control who they are buying their software from. It’s when you get down to the nitty-gritty that you need to ask certain questions around the source code – who does the code reviews? What is your code lifecycle? for example. This is where you need a robust onboarding process that follows particular industry rules. Also, mapping the flow of information and keeping an eye on key access points will unquestionably remain crucial to building a more resilient information system.
As organizations and their partners are increasingly becoming interconnected, cybersecurity risks can endanger all parties involved. And even when your business is protected by sophisticated security tools, you may never be certain your suppliers also have the same methods of protection in place. This is why you should never ignore any potential supply chain cybersecurity risks when it comes to protecting your company and sensitive information. Ultimately, there needs to be trust and constant communication between all third parties
What about code checking?
Do you know who checks your code? How do you Prove Your Code is 100% Accurate? Lena will be discussing this in-depth at our Spotlight on Cybersecurity event on April 7. Tune in to the Supply Chain Risk Management session to find out more at 1:30 PM – 2:15 PM EDT.