Recent APT attacks affecting multiple sectors through a common attack surface have driven home the lesson that no matter how well we think we have secured our perimeters, our information and systems may still be vulnerable to attack through 3rd party systems with weak security controls. Individually we may all be resilient, but collectively we are not. As critical infrastructure relies more heavily on interconnectivity to function efficiently our mindset needs to evolve to consider cyber-vulnerability not as an individual, but a collective problem. Managing 3rd party risk runs deeper than many imagine and opens fundamental questions around the way we go about the business of building security into our systems and products. We can’t have a 360 degree view of supply chain security, but how can we move towards developing the trust and mechanisms to better support a collaborative approach to security with our suppliers, partners and interrelated sectors?
- Nothing can be achieved in isolation – What are the barriers to meaningful collaboration between regulators, asset owners, integrators and vendors on mitigating cyber risk?
- Do all parties concerned have a voice, and is it listened to?
- Where might we be doubling our efforts and how can we streamline?
- What work needs to be done around liability and mediation?
- How are we faring with efforts to collaborate across the supply chain to develop fit for purpose standards regimes, audit compliance check lists and conformity assessments?