• About
  • Subscribe
  • Contact
Thursday, May 8, 2025
    Login
  • Management Leadership
    • Growth Strategies
    • Finance
    • Operations
    • Sales and Marketing
    • Careers
  • Technology
    • Infrastructure and Platforms
    • Business Applications and Databases
    • Big Data, Analytics and Intelligence
    • Security
  • Industry Verticals
    • Finance and Insurance
    • Manufacturing
    • Logistics and Transportation
    • Retail and Wholesale
    • Hospitality and Tourism
    • Government and Public Services
    • Utilities
    • Media and Telecommunications
  • Resources
    • Whitepapers
    • PodChats
    • Videos
  • Events
No Result
View All Result
  • Management Leadership
    • Growth Strategies
    • Finance
    • Operations
    • Sales and Marketing
    • Careers
  • Technology
    • Infrastructure and Platforms
    • Business Applications and Databases
    • Big Data, Analytics and Intelligence
    • Security
  • Industry Verticals
    • Finance and Insurance
    • Manufacturing
    • Logistics and Transportation
    • Retail and Wholesale
    • Hospitality and Tourism
    • Government and Public Services
    • Utilities
    • Media and Telecommunications
  • Resources
    • Whitepapers
    • PodChats
    • Videos
  • Events
No Result
View All Result
No Result
View All Result
Home Technology Security

CISO’s guide to managing supply chain risks

Sharat Sinha by Sharat Sinha
June 28, 2022
Photo by Andrea Piacquadio from Pexels: https://www.pexels.com/photo/man-in-black-suit-writing-on-a-white-bond-paper-3761506/

Photo by Andrea Piacquadio from Pexels: https://www.pexels.com/photo/man-in-black-suit-writing-on-a-white-bond-paper-3761506/

Supply chain attacks are not new. The infamous SolarWinds attack laid the foundations for a supply chain attack frenzy. 2021 saw numerous sophisticated attacks such as Codecov in April and Kaseya in July, concluding with the Log4j vulnerability that was exposed in December.

Closer to home across the APAC region, we also see similar examples of supply chain attacks in the healthcare, automobile, and critical infrastructure sectors, just to name a few. The striking impact achieved by this one vulnerability in an open-source library demonstrates the inherent risk in software supply chains.

As a Chief Investigation Security Officer (CISO), you are responsible for your organisation’s information and data security, keeping them safe from both internal and external threats. As the cybersecurity landscape changes, your responsibilities also widen to cover the broader surface of attacks, especially as we see more WFH policies being implemented, with your own CISO role evolving beyond just a security role. However, if you have an insecure vendor in your chain of trust, your organisation will only be as strong as your weakest link.

A supply chain attack takes advantage of trust relationships between different organisations and targets the weakest link in the chain. This is especially true as cybercriminals will face greater resistance from larger organisations that are better prepared for cyberattacks.

As a result, smaller and less secure third-party vendors are an easy way in. Modern software applications, such as websites or mobile phone apps, are built using complex supply chains of third-party libraries or open-source components.

It makes the work for software engineers easier — After all, why reinvent the wheel when there are off-the-shelf solutions? However, this can be where it spirals out of control.

Cybercriminals know that third-party providers often prioritise speed to market over security. It means their code can easily be intercepted and compromised.

By the time it is used by the software engineer within an organisation, it could well be too late and risks the final software application itself being compromised too. Attackers understand DevOps teams are driven by speed to make organisations more agile.

As a result, they often develop and deploy applications without the necessary security checks. Knowing this allows attackers to take advantage of these sacrifices of security concerns.

Furthermore, there is no good way to partition third-party libraries or code from your organisation’s in-house built code. As a result, it all runs within the same privilege.

That means that anything the application can do, all the libraries can also do. So, if the application can access your database, there is nothing to stop your libraries from doing the same.

What can be done to mitigate these risks?

Supply chain attacks take advantage of unsecured trust relationships between a company and other organisations. Therefore, protecting against supply chain attacks requires a zero-trust approach to security.

Across the industry, security professionals are designing and rebuilding their strategies around a Zero Trust approach, one that trusts no user, device, or system, neither inside nor outside the perimeter.

While partnerships and vendor relationships are good for business, third-party users and software should have their access limited to what is necessary to do their jobs and be continually monitored.

Internally, it is also important to keep in mind some ways to mitigate the risks of these attacks:

  • Implement Least Privilege: Many organisations assign excessive access and permissions to their employees, partners, and software. These excessive permissions make supply chain attacks easier to perform. Implement least privilege and assign all people and software only the permissions that they need to do their job.
  • Perform Network Segmentation: It is usually impossible to gain complete visibility into the network of third-party software and partner organisations companies are working with, due to legal constraints or other factors.
    This lack of visibility makes it difficult to monitor their supply chain security and the devices connected to their network. Therefore, it is important to limit the access of third-party vendors and use network segmentation to break the network into zones based on business functions. This way, if a supply chain attack compromises part of the network, the rest of the network is still protected.
  • Follow DevSecOps Practices: By integrating security into the development lifecycle, it is possible to detect if a software has been maliciously modified.
  • Automated Threat Prevention and Threat Hunting: Security Operations Centres (SOC) analysts should protect against attacks across all the organisation’s environments, including the endpoint, network, cloud, and mobile.
  • Leverage Artificial Intelligence (AI) and Machine Learning: Smaller IT and security teams may be overwhelmed, and their visibility can get obscured by the sheer volume of data. Relying on AI capabilities and machine learning can help mitigate the risks, prioritise tasks and enable security teams to focus on what is critical across their digital environment.

At the same time, organisations need to understand what commercial and open-source products they are using and be aware of and prepared for potential attacks using legitimate software as a vector. Adopting a hygiene-focused “prevention-first” approach to your organisation’s security architecture will give you full visibility into your IT environment and help address any blind spots.

Not limited to technical issues

In today’s modern world, a CISO’s job is no longer just technical. CISOs today need to possess technical knowledge, and leadership skills and be attuned to business risks due to the increased complexity of security management.

They are expected to have political discernment, business sensibility and even be a rhetorician to drive buy-in from the board on solutions and mitigation efforts, front explanations and explain the impact of breaches like in the case of Okta’s recent compromise.

Needless to say, the responsibilities of a CISO have drastically changed over the past decade due to the evolving security climate. As more and more applications are added to your IT ecosystem, security teams often struggle to keep updated on who is installing such applications and where. As a result, these applications can quickly become a liability.

Therefore, organisations need to have cutting-edge solutions to safeguard their assets. Good security infrastructure should adopt the BEST approach to security consisting of:

  • Block threats in real-time: It should always be prevention, not detection
  • Everywhere: Consolidated across networks, clouds and users
  • Smart: Possess the capability of AI-powered prevention and operations
  • Trusted: A reputable vendor that is trusted by other customers and industry experts

Look out for security solutions that can offer the BEST approach spanning mobile devices, network attacks, corporate emails, web servers, endpoints, IoT devices and cloud environments.

In cybersecurity, there are no alternatives. It is already too late if you discover a compromise in your system as it means that the cybercriminals are already through the door and in your network. Manage your risks, and don’t let your organisation become an enabler for cyber criminals to achieve the next big supply chain attack.

Related:  Unveiling the power of platformisation
Tags: automated threat intelligenceCheck Point Software TechnologiesDevSecOpsleast privileges
Sharat Sinha

Sharat Sinha

Sharat Sinha is the vice president and general manager for the Asia-Pacific region at Check Point Software Technologies. He leads the region with responsibility to grow the business in Asia Pacific, a high-growth region for cybersecurity. With nearly three decades of leadership experience in Fortune 500 technology companies like Cisco, Palo Alto Networks and VMWare, and a sharp mind for implementing business strategies that drives results, Sinha helms the high performing Check Point Asia Pacific team with a strong vision of protecting every business in Asia Pacific from the most imminent cyber threats. Excellent at building a platform for effective collaboration and a firm believer of bringing the best out of people by challenging them beyond their comfort zone, Sinha motivates his team to stretch for higher goals. Under his stewardship, the Asia Pacific team has expanded the business multi-fold, formed strategic partnerships which maximises the company’s commercial reach and enabled thousands of companies in Asia Pacific to conduct business in a secure environment. With a focus on developing cyber security talent, Sinha has also provided youths across the Asia Pacific region with career opportunities through mentorship programs, supported cybersecurity talent development initiatives with local tertiary institutions and was instrumental in pioneering Check Point’s Young Professionals Program for over 100 young talent across Asia Pacific with limited experience interested in pursuing a career in cybersecurity, with proper training and mentorship. Sinha holds a Doctorate in business management from the University of South Australia and has a Bachelor’s degree in Electronics Engineering. He also holds a Postgraduate degree in Industrial and Management engineering from the Indian institute of Technology (IIT).

No Result
View All Result

Recent Posts

  • ARTHALAND chooses OutSystems to advance real estate sustainability
  • Experts warn against AI-powered deepfake impersonation scams
  • Dropbox updates universal search and knowledge management product
  • Agentic AI-powered AppSec platform launched for the AI era
  • IDC forecasts GenAI alone will grow at a 59.2% CAGR

Live Poll

Categories

  • Big Data, Analytics & Intelligence
  • Business Applications & Databases
  • Business-IT Alignment
  • Careers
  • Case Studies
  • CISO
  • CISO strategies
  • Cloud, Virtualization, Operating Environments and Middleware
  • Computer, Storage, Networks, Connectivity
  • Corporate Social Responsibility
  • Customer Experience / Engagement
  • Cyber risk management
  • Cyberattacks and data breaches
  • Cybersecurity careers
  • Cybersecurity operations
  • Education
  • Education
  • Finance
  • Finance & Insurance
  • FutureCISO
  • General
  • Governance, Risk and Compliance
  • Government and Public Services
  • Growth Strategies
  • Hospitality & Tourism
  • HR, education and Training
  • Industry Verticals
  • Infrastructure & Platforms
  • Insider threats
  • Latest Stories
  • Logistics & Transportation
  • Management Leadership
  • Manufacturing
  • Media and Telecommunications
  • News Stories
  • Operations
  • Opinion
  • Opinions
  • People
  • Process
  • Remote work
  • Retail & Wholesale
  • Sales & Marketing
  • Security
  • Tactics and Strategies
  • Technology
  • Utilities
  • Videos
  • Vulnerabilities and threats
  • White Papers

Strategic Insights for Chief Information Officers

FutureCIO is about enabling the CIO, his team, the leadership and the enterprise through shared expertise, know-how and experience - through a community of shared interests and goals. It is also about discovering unknown best practices that will help realize new business models.

Quick Links

  • Videos
  • Resources
  • Subscribe
  • Contact

Cxociety Media Brands

  • FutureIoT
  • FutureCFO
  • FutureCIO

Categories

  • Privacy Policy
  • Terms of Use
  • Cookie Policy

Copyright © 2022 Cxociety Pte Ltd | Designed by Pixl

Login to your account below

or

Not a member yet? Register here

Forgotten Password?

Fill the forms bellow to register

All fields are required. Log In

Retrieve your password

Please enter your username or email address to reset your password.

Log In
No Result
View All Result
  • Management Leadership
    • Growth Strategies
    • Finance
    • Operations
    • Sales and Marketing
    • Careers
  • Technology
    • Infrastructure and Platforms
    • Business Applications and Databases
    • Big Data, Analytics and Intelligence
    • Security
  • Industry Verticals
    • Finance and Insurance
    • Manufacturing
    • Logistics and Transportation
    • Retail and Wholesale
    • Hospitality and Tourism
    • Government and Public Services
    • Utilities
    • Media and Telecommunications
  • Resources
    • Whitepapers
    • PodChats
    • Videos
  • Events
Login

Copyright © 2022 Cxociety Pte Ltd | Designed by Pixl

Subscribe