Is securing the Supply Chain all about Cyber?

hello everyone thank you for joining us today my name is Steve Shirley I'll be your host for this session so over the next 45 minutes we're going to be looking at the relationship between supply chain assurance and cyber security so cyber security plays a vital part in identifying and minimizing risk for Supply chains but how does Cyber risk and business risk fit together how involved should we be as cyber security practitioners and what does good look like these are some of the questions we're going to be tackling today and I'm very delighted to be joined by two guests which I'm going to introduce so first we have Hayden Brooks who is the CEO of risk Ledger Hayden was a cyber risk consultant for a big floor consulting firm for a number of years where he focused on supply chain assurance and through that work Hayden really get to see firsthand the friction between the inner workings of a complex supply chain Assurance program he realized that clients and suppliers could work better together and the result is risk Ledger which is a in short a security governance platform coupled with a secure social network that helps simplify the task identify risks and uncover potential vulnerability so thank you so much for joining us Hayden I'm also joined by Michael Wang who's a senior security consultant at wood secure so Michael has more than two decades experience in cyber security with a background in operational technology and Industrial Control Systems he's a blue Tamer here with secure he specializes in architecture reviews solution designs incident response in OT and it also helps companies develop robust OT and ICS strategies so gents thank you so much for joining me we've got a lot to talk about today and I want to get stuck in straight away so let's start with the first question Hayden I'm going to go to you first if I was to start a new company today and develop it from the ground up why should I think about supply chain risk and supply chain cyber security big question and so yeah thank you for for inviting me today um so to answer the question in brief I think supply chain risks kind of take two forms so firstly there's kind of a data confidentiality risk which is the more traditional one that we all know about we have a breach in the supply chain and data's leaked but more importantly when you're starting a company nowadays Outsourcing um has become a big thing and Outsourcing more critical functions of your company has become the norm and that leads to a resiliency risk so you might be starting a company but then relying on other companies for your company to be able to operate and that needs to be taken into account when you're starting a company because obviously you're essentially Outsourcing that responsibility to other people and if they um don't fulfill that responsibility essentially your company can't operate so it's a fairly Mission critical risk for new companies to think about especially with the emergence of technology and Cloud as well and Michael what about your thoughts on on this welcome to the welcome to the chat what do you would you like to chime in with yeah thank you Steve um thank you for having me um well I agree with Hayden um it's actually more and more important that new startups are looking into the fact that the modern world and the use of Technology provides a lot of positive means to expand and to grow but it also introduces new risks and hence supply chain is moving from the old more traditional looking at raw material materials and goods flowing into companies now it's also the fact that you're having your I.T Services sourced in and you're having all kinds of collaboration to do your daily processes work and that becomes more and more important hence to cyber secure that part like a lot of domains and security a lot of supply chain stuff relies on for example the procurement process being well oiled and goods and us having good data to work off and so when you're starting a company if you can get this fundamental processes right then essentially you're not going to be trying to retrofit or fix a lot of the missing data when you do come to worrying about supply chain risk maybe at a later stage yeah yeah and there's obviously also the part that you're also as you are relying on it to carry a lot of the business processes you may be developing your own applications hinge you might be relying on CI CD so internal development processes they also become part of that supply chain risk picture because you need to ensure that from your development environments to your testing to your production environments that's also a supply chain so it's important that everybody is on the same page and that you have clear definitions when are we talking supply chain is it internal supply chain or external Supply chains that's also to to confuse that picture yeah it comes up a lot with clients actually which happen to them around um I think a lot of people don't realize they they have three distinct Supply chains almost to their company they have their software supply chain if they're building software which is almost a completely different problem but kind of like a Venn diagram overlaps slightly with what I would call their corporate supply chain and which is more your traditional kind of list of companies and then thirdly you may have a logistics supply chain as well um and Logistics Supply chains again is different because the risk profile there is the right Goods not being at the right place at the right time which is distinctly different to security kind of in your corporate supply chain which is then different again to your software supply chain where it's all about dependencies um so yeah the more you dig into it the more complex it becomes I think that's going to be a theme isn't it for today it's a it's such a it's such a huge topic right and we've got a we only have about 30 minutes of questions um to kind of start to unpick so we're going to do our best and thanks guys for your thoughts um what I'd like to do actually is bring involved sorry is bringing our listeners so everyone is joining us thank you so much for dialing in from all over the world um we've got a couple of poll questions because we'd really like to get your thoughts uh on this topic and and have a bit more of an engaging discussion so we we actually have a a poll question which I'd like to bring up and you should be able to just answer this from the window that you're watching us talking so the first question I want to put to the audience is how helpful is it to have complete transparency and open information sharing around cyber security incidents and threats throughout your supply chain now that I don't know about what you guys think but that might seem like a really obvious question initially you might be like oh it's you know it's really helpful to have information but actually I think there's a bit more in that question to unpick um so what are your guys thought on having that much information around this challenge what are your thoughts to our staff audience that are putting in their answers it's kind of the Nirvana I think uh wanting that level of information so I've always said that I think a much better way of doing cyber threat intelligence and this almost is the basis for the future of risk Ledger is having a network of organizations all sharing that information amongst each other so you can see the attacks coming in and be able to propagate that operation information amongst all of your peers so that you can all defend against those same attacks um I think the biggest challenge to that at the minute is traditionally when you've had a supply chain attack typically procurement and lawyers will get involved and want to maybe switch supplier or look at potential other Alternatives and that disincentivizes the supply from sharing anything that they could deem as is almost risky to the contract they have with you and so there's probably some more deeper cultural issues there that mean it we can't reach that Nevada yet but I think the industry is moving in that direction for sure and then it's definitely helpful being able to share that information yeah let me add to that that I mean it then becomes evident that the procurement phase or the initial phase basis of setting up the the security controls and also later the the incident response processes it when you're dealing with other companies and have to have interfaces between the companies and the data you might detect the the attacks early on but it also becomes important to have a clear set of agreements as to do the incident responses especially the forensics can become challenging uh we were it's talking about sharing information and it's still we still have a way to go to reach the Nirvana Where we actually share openly because it's it is still a lot of places considered well this is our you know not so clean underwear so we don't want to share it yeah absolutely usually I throw you you just go through the question back at clients as well so I asked them if you had two supplies the same security maturity and but one with telling you about the breaches they were having and one wasn't which supplier would you rather work with and that's quite an interesting way of them thinking okay well I'd rather hear about the breaches which maybe then um having tough conversations where you are talking about canceling contracts with the suppliers isn't the way to incentivize that communication in a way absolutely yeah that's that's kind of what I was interested in that question that kind of what what level of information is actually useful some sometimes it's there's a difference between it's nice to know and actually how do you create value out of that information so um thanks for everyone who's who's added in their thoughts um kind of reflects what we've just been talking about I think which is uh which is always good to know so we're gonna I'm just looking at the clock we're gonna keep moving we've got loads to cover today so I'm going to get our next question for for our of our guests so this is quite an interesting one as well so how involved should we be as cyber security practitioners in the actual assessment of supply chain security risks and mitigations now how what where does our responsibility end and where is the responsibility of the business starts so let's let's throw that out into the mix maybe Michael how about we come to you for that first and then and then Hayden you can jump in yeah well I think it's important that we are involved in in actually all three of the kind of Supply chains that that we identified because even today the raw material flows into our companies uh or the logistic flows basically are also supported by uh smaller or larger parts of EDI or interfacing between companies and as soon as you have data electronic information flowing between companies they're probably flowing across the internet and there of course no doubt security cyber security becomes an issue and it has to be controlled so I think we need to be there that being said there are also specific you know more physical world uh considerations that the business need to do both about resilience and and other stuff but I think we're pretty important in in the full life cycle up and downstream on the ground and so I think like the software supply chain supply chain a fairly well established that security should have a huge amount of involvement in those on the logistics side interestingly I was speaking to a prospect of ours where it was an oil and gas firm and they had an attack where people were stealing uh cancers of oil essentially off the back of trucks but combined with that they were editing the ledgers at each one of the logistical kind of uh waypoints almost to remove those barrels there we go they're losing quite a lot of money uh from that and it was only after that incident that actually security came involved in the logistic supply chain as well so definitely should be involved across all three in terms of U.S responsibility for it it's an interesting one because um fundamentally procurement always had responsibility for the supply chain and making sure the supply chain is healthy but procurement aren't necessarily the subject matter experts within security and so security have to act as almost an advisory function to that but then ultimately the business has to win the risk and the way I tell clients to set it up is ideally you want your security team to be responsible for doing the review and then advising the business on what the risk is then it's up to the business to say whether or not they're happy with risk because at the end of the day they're the ones making the money and if for example you say supplier is hugely risky but it's done at triple your Revenue that might be something the business wants to accept and it's not really security is kind of remit to make that decision on their behalf so it's almost a shared responsibility um across security the business and procurement and any other kind of stakeholders and that needs to all be predefined when you set up the program so that's something that will be slightly different in each company that we speak to yeah and I think in that sense supply chain security is not that different from all the other security disciplines that we do in cyber because it's not as much you know finding the controls and implementing and deploying it's more having business involved and doing their assessments and actually evaluating how critical is this to the business resilience and making them do the judgment and then they point us in the right direction um I think that's a challenge also outside of supply chain but it's it's yep that's everyday business and it's a bit of a tangent there I think a lot of security people don't like the supply chain work and and that's probably for two reasons firstly it tends to be um like a kind of a spreadsheet monkey type rule where you're stuck in front of the spreadsheets just reviewing assessments kind of all day every day and secondly I think security practitioners feel like the work that they do there takes a lot of time and a lot of focus but doesn't necessarily lead to any real reduction in incidents or in risk and those two things are something we've we've spent a lot of time kind of looking at and trying to solve and just on the first point I think supply chain is actually one of the best domains for new peoples of the security industry to get trained up in because essentially you have to learn very quickly at a high level all of the different security principles and domains that you'd have to secure in your own business and you have to be able to repeat kind of those assessments across multiple other entities all with different risk profiles and that's a very very good way and to up still very quickly across security I always find it fascinating the kind of the that question of of it's I imagine Hayden is probably a question for you and your experience of working with clients across the space is are there instances where you know you could easily throw the kitchen sink of this problem right and having hundreds of Consultants deployed in uh and and maybe getting not as many games as you would you know potentially require for that kind of investment like is that a problem do you see kind of people kind of over overshooting um does that happen possibly so um one of the main reasons prospects speak to us is typically because security and people tend to want to be secure and so they're constantly trying to slow efficient processes down and delve into organizations own security kind of protocols and really understand them whereas interestingly procurement are typically pegged on the rate or speed at which they can bring new suppliers onto their preferred supply list and those two um differences in objectives ends up with a lot of friction kind of between the two teams and that's where I think you'll end up with a business's gearing suppliers and without going through security because they see it as almost a barrier um because of that so yeah says we see that a lot um it's all about collaboration and being able to turn that around is kind of the key there sure exactly great well speaking of collaboration let's let's go back to our to our audience so um we're going to do another poll question so fingers on the buzzers to everyone um we're going to follow on from our first question so we would like to to get your view having asked the kind of first question around having information for this poll question what do you think is the main reason that organizations don't openly share information in this way because there's a lot to unpack there as well so so let's have some thoughts and that's whilst everyone's answering um maybe maybe we'll throw that up to Michael and Hayden what do you think is your kind of gut reaction to why organizations maybe aren't as forthcoming this information is perhaps we'd like them to fit I'll let Michael go first well I guess the obvious one is the one I already um kind of alluded to earlier that that it's uh it's been considered a little bit strategic sometimes um the the information you have to share and and of course the fact that there are things you might not be doing as well as other expect you to it becomes you know a matter of when is the right time to actually share this information so I think that is still the most pertinent one but I also think sometimes it's it's a matter of not understanding the value of the information that you do share and I I think we have a challenge there and and as security practitioner I think we have an obligation to try to educate our management and our boards uh across the boards to to actually um to see the value in sharing this and I think the known incidents when you see companies doing good communication and sharing openly I think it's it's way better uh received by the public and by shareholders and I think in the end that that is that's important yeah it's okay that completely I think it comes back down to those uh difference in objectives between the two different types of of audience we almost have in the supply chain so you have your suppliers who use ultimate objective is to increase their revenue and win business and then we have our clients whose ultimate objective is to reduce risk and those two things often aren't the same and so many times for example if you're on the supplier side and you've had a massive incident your sales team might feel like talking about it might prevent the deal from going through it might slow deals down and and then on the flip side the suppliers almost have the burden of work here where if you imagine you're a technology company or any company really with a thousand clients every single one of those a thousand clients maybe wanted to dive into um past incidents into your own security posture um and so there's kind of yeah there's a capacity issue there it means suppliers are on the back foot and which means they try and Dodge these reviews and then also it's the fact that there's that commercial slot that security people they think often take into account foreign super interesting so we've got kind of a you know a large majority of our listeners are kind of agreeing about you know minimizing reputational damage and and that makes immediate sense to me I think what's what I'm finding interesting is you know we've almost got 25 people saying other uh so perhaps you know we've got a q a board perhaps everyone who's out there listening to this um if you're in the other category we'd love to know why I mean I'd certainly be interested so feel free to ask some questions to add some thoughts um we've got a whole team working uh behind the scenes to kind of digest that information so please please add your thoughts and and we can try and come back to them at the end I'm sure I'm sure Hayden and and Mike will be happy to uh to discuss some others the reputation wasn't just on the reputation Point that's a really interesting one as well because oftentimes and I think people uh think that disclosing an incident in the supply chain may impact their reputation but if I think back to all the incidents I've worked on or seen in the news the worst reputations have come out where people haven't disclosed or investigated an incident in the right way so typically we find an incident always kind of comes out and especially if there's been a data leakage because other people can see that that's okay and then it comes down to actually if you didn't announce it at the time you handled that completely incorrectly and that's often and more damaging than maybe being honest and transparent about what happened and what you did to rectify it really I think there's already some already some great comments coming in I'm trying to I'm trying to read them and and uh keep a look at some yeah some people kind of talking about kind of the embarrassment of getting caught that kind of yeah reputational damages is a real thing it's very it's a very human thing right kind of you're kind of intersecting a Venn diagram of accountability versus kind of uh human um uh yeah embarrassment and emotions like that which is as a in this kind of world is a real real challenge so it's a really interesting topic um so thanks everyone for for taking taking part in this and adding your thoughts we'll keep an eye on it and we've put some time together for Q a at the end so perhaps let's come back to it but I'm Keen to move on got a couple more questions I want to pick your brains on guys if that's all right with you so let's move on to the next question and this is really um hey you've already kind of alluded to it slightly but what does effective supply chain security actually look like can can you give us some examples from your experience of you know actual supply chain attacks and maybe they're not going to facts on that in terms of how that you know either bolts the insurance program or just let's get into some examples and what was an effective solution look like it uh so before the exams I think the most effective programs I have seen are where the programs are operating on top of really strong foundational procurement processes so they understand who their suppliers are what suppliers are doing for them what the inherent risk of their supplies is before they even go out and start running Assurance against them and then when running Assurance uh it's quite interesting we've I've seen um almost two uh impacts happen from supply chain breaches so the burst is you have a supplier that suffers an attack and it either um they they can't provide the service that they're providing to you or they have a breach and usual data and the other one that people often don't think about which I think is a lot more interesting and is where you might have for example a Federated um entity uh such as the government or the NHS and there may be a supplier that we'll call them pineapple and that Supply may work with multiple different government departments and if that supply for example fails it causes like a compound issue to the entire sector or to the entire government and that's what we call that a systemic or a concentration risk and the best programs and something that we will work hard on at rustedra is being able to identify not only which suppliers maybe are the least mature when it comes to security but which suppliers are going to have the biggest effect across the entire sector or ecosystem of companies they work with and they're the suppliers that we really need to focus on okay I'll think of some other examples in the background while Michael's there lasting answer yeah well I think to the to the experience part I I've I've seen companies of course and I mean you'll not with the the sourcing issue that that you're sourcing your I.T services from other companies and then suddenly um you get a knock on the door and and you're told that there is signs of intrusions in your company and you maybe get a hint and you start to hunt and then at some point you realize that hey they actually came in through a sourcing partner which had electronic access to parts of your network and then they they distributed from there and you were actually the end Target so it was a targeted supply chain attack which not used uh like the solarwinds a specific application but used the fact that they were able to find out that there was a supplier that had some form of interaction so they actually exploited that access path or attack vector and and I especially in the manufacturing world where you have a lot of Ip you have research departments I think that's that's something you need to be on the lookout for uh when you're selecting your partners and of course even though they are strong in security themselves and you are there's no guarantee you you you still might I mean we're only humans and it's not perfect by any means but but that that's that's one of the experience I've seen on numerous occasions so I think that's uh that's something to pay attention to the other um aspect of that that comes up a lot in conversations with our prospects is a lot of companies I see running supply chain Assurance within their procurement process but they're doing it at a service level or a product level and personally um I think that that's slightly wrong in the at the procurement level the question to be answering is is this company secure enough for me to feel comfortable working with them and then you should have a second control of the project level that looks okay well we're now buying this product from this company now we need to deploy it internally within this environment with this configuration and that requires almost a separate process at that project level to be done to look at the Assurance over that particular product and the reason for saying that is I've worked on a number of breaches where an organization has only done service level Assurance at the procurement stage and then and they've destroyed for example the corporate network of this supplier and not really looked any controls there and then that supplier has done and had a breach in their corporate Network and then the attackers have moved laterally into their production Network or they had a business email optimized which is very common and all of these legitimate email or malicious emails have come from a legitimate email address straight to all of your email filters because you didn't check any kind of email controls and so separating out those two different kind of like abstract levels of assurance is very important we're running in an effective supply chain security program yeah and I think we can actually use that as a jump place for one of the comments as to how can we involve cyber security to have a bigger interest in in into the supply chain security issues I I think one of the things is we could act we could actually just ask them I think they would be pretty much um engaged into any discussion and also for for the procurement people I think it's important to ask for that help because that gives that gives the company a possibility to actually give a set of procurement um Basics that they can hand out to any suppliers that are in in selection phase and and also living up to these security controls I mean one of the uh known issues around surrounding manufacturing companies or any otics company basically is the fact that they are often sourcing their their maintenance of their equipment and their physical processes and equipment to to third-party vendors and they bring their own equipment when they do these upgrades or updates um but there is no control as to how these whatever engineering stations are actually protected or cleaned frequently so adding that to the procurement that are setting down those slas with these vendor companies that that would actually add to the overall supply chain security because you would have better protection on a day-to-day basis also by the the vendors coming into your plans and sites interesting on on the the service level and organization kind of difference in assurance as well there's an interesting comment saying sharing too much information regarding a business security posture could constitute a threat to the business and oftentimes I actually heavily disagree with that unless you're sharing like a full pen test Report with actual operational vulnerabilities in it there's very little um operational data that I could use to attack a company that I wouldn't be able to get from seeing or an organization has some United States for example and so this information is already public the so you're not comparing having this information or not having this information you're comparing having this information from the supplier or and fixing the holes or um the supplier still giving that information out pretty much on the public web through certifications and stuff like that but just not being able to actually see the holes you need to fix so I think having that sort of um as long as you're not going too far and asking for like really operational data and that's almost you're ignoring the problem and hoping that that reduces your risk instead of really trying to fix it um personally but I've had a lot of deep discussions about that as well and I'm not saying I'm right there I agree 100 with you yeah I can imagine uh let's let's add on let's do another poll question quickly because I think this is going to touch on some of the some of the topics that we just talked about that so I'd be interested to bring everyone into this discussion as well so the poll question that I'd like to ask is is how confident are you in your ability to accurately assess the cyber security of organizations in your supply chain and I think it's really it's quite a deep question right because it's it's all well and good taking action based off of an assessment but actually how confident are you in that assessment and um it's certainly a topic that I'd be Keen to get the audience's view on and and yours hating them as well specifically because I mean this is going to go better right so what are your what are your thoughts on on your you know um do you believe that organizations have a really good grip mechanism to assess this or or is it often a lot harder than they perceive I think it's it's very hard and the reason for that is because if you work in security you understand how hard it is just to secure your own business and then often we're asking security teams to repeat that across a thousand suppliers where they don't even have direct control of the companies they're assessing and I used to say and uh my partners in my previous life uh didn't really like that Departments of the big four firms and I used to sit in front of experienced security teams for kind of three days on an on-site review in a data center that they'd picked and there's no way I'm going to find a flaw in three days in data that they're they've hand-picked to show me in a data center that they have picked it's kind of it seems like a lot of money is being thrown at the problem without any kind of real ability for us to change anything and that fundamentally is is uh what we've looked to solve with risk Ledger um it's yeah it's a difficult problem and and trying to understand which suppliers are vulnerable is as I said only half the issue the other half the issue is understanding what is the impact when something does go wrong and I think a lot of programs don't answer that second question at all and that's something we've we've spent a lot of time very foreign responses coming into some of the questions thank you everyone for your questions we've we were going through them we've got a couple to uh to tackle at the end but it's interesting seeing the results I mean the good news is no one said they're very confident so that's always that so we have a very um aware audience which is fantastic um but a quite quite an interesting spread from kind of someone through to not at all so yeah thank you it would be interesting asking a question which asks how confident are you and your own company's security and then comparing that poll with with this poll stay tuned round two um thank you everyone so I'm conscious that we're 30 minutes away we've only got 15 minutes left but I actually really want to ask the next question so let's move on to the next question and then we'll jump into a q a because I really want to talk about Cloud security um what about the risks related to the cloud services that we are consuming so what should the what would you I'm sorry what should we be asking about you know things like shared responsibility model um that CSP is currently use what are our thoughts on that maybe Michael will come come to you with your background on this what are the kind of the questions you'd be thinking about here within the cloud space well back to to um to the point about I mean it needs to be very clearly established which have what responsibility when it comes to incidents or critical events because at the end of the day that is what we're going to use and work with as security practitioners and I think the businesses themselves need to know exactly what they can expect from their cloud provider in terms of uh support in an event um so so I think that there's different viewpoints or perspectives here depending on whether it's before during or after an incident so so it's a it's a pretty big question actually but Hayden do you have any any experience on that yeah so um it's an interesting one because oftentimes uh again another conversation we have a lot with prospects is when you're talking to an organization who is either a cloud provider or all operates a business like a technology company that primarily uses the cloud they focus their questions again on um for example like okay I'm deployed in your cloud is my stuff secure and that's not really that's not the the threat you're trying to mitigate here the threat you're trying to mitigate here is if an attacker attacks AWS will they be able to breach AWS not reach my own personal VPC on my own personal environment that person environment is up to me to configure insecure I care more about somebody breaching the actual AWS infrastructure and then from there being able to do um naughty things and so I think being very clear in your understanding of what threats are you trying to protect against and then scoping your questions to only ask about the controls that realistically a cloud provider would be responsible for is uh the key there um yeah and I think one of the important parts to consider as a company is what kind of data do you want to put in the cloud so thinking or assuming that you might not be able to protect it as good in the cloud because you are relying on other people doing the right sort of security measures so do you want to just put everything up there or is there a certain part of your company data that is actually too important resource data or other stuff that you don't want to have out there so it also becomes kind of a more a business risk kind of consideration more than the cyber security consideration and and I think that shows very very well how Dynamic and complex these setups are how complex a world we are creating when we are using different providers and we're pulling in data from different sources outside of our own perimeter it becomes very important to know who's in charge of the master data and I mean yeah lots of perspectives that you can drop here and then go from there and I don't have any raw data to hand but from qualitatively from the breaches that we have heard from clients it is far far far more likely that an attacker has breached the company's own infrastructure in a company's own deployment within a cloud provider then it is an attacker has actually breached the cloud provider and from there gotten into many companies something like cloudhopper that actually tends to be quite a rare um a rare attack Vector is it's just a lot easier for me just because of the way Cloud infrastructure is configured than the multitude of different configurations and having to have clean code and all these kind of aspects to it it's a lot easier for me to breach a company than it is for me to reach a cloud provider and we tend to to see that as the main risk so that's slightly different Nation nation states Nations when you're trying to go after like a someone like for example solarwinds then it might make more sense to go after actually the cloud provider but that's um do you think Hayden though we've heard some really interesting comments and questions coming in from the audience around this so do you think that cloud providers should be held accountable within this kind of space in terms of you know ensuring you know patch management etc etc we've had a couple of questions coming in thank you for the audience for that do you think there should be a kind of an accountability they should be accountable for patching their own systems and their own infrastructure that our systems and our infrastructure sits on top of the catching our systems and our infrastructure I don't want our Cloud providers going anywhere near that because if they deploy a patch that then ruins my card infrastructure I've lost all my customers and so again it comes it's almost like there's two layers of kind of abstraction here there's the the underlying foundational layer which is what the cloud provider looks after and then each company builds their own kind of infrastructure on top and that I think is fundamentally what they mean by the shared and responsibility model they they should be accountable and they should be doing that foundational stuff correctly but then at the end of the day if you've spun up the virtual machine on the tab provider and you haven't patched it it's not the tab provider's responsibility or they shouldn't be accountable for uh going after you thought that absolutely that's good point so we've got a couple of questions coming in so let's do a bit of q a as we wrap up and then I've got a final poll question as well uh so I'm gonna ask some video questions coming in thank you everyone so here's one from from Andra so is it a good strategy to run automated real-time threat Intel on the supply chain and investigate suspicious alerts manually what do we think about that I say we don't do any um kind of threat Intel or vulnerability stands for Supply chains there are many tools like bits like that do um in now in a perfect world I think that actually would be a reasonable strategy to run in Practical terms it never really works and there's a couple of reasons for that so firstly um in terms of threat intelligence and particularly running domain stands and trying to stand public hierarchy infrastructure of suppliers um I have never seen a provider be able to give you anywhere near the accuracy and that you need to be able to run a program like that effectively so oftentimes they try and basically use TLS logs to find out the IP addresses of suppliers but end up standing the wrong thing your team get inundated with false positives false negatives you think of suppliers horrendously insecure it turns out if Supply they've scanned a completely wrong assets and so the way we advise clients to do this is basically to like layer up their Solutions so I think at the core you can't get away from running and a proper Assurance program where you're going to a company and and trying to find out across physical security across iot operations across software development you're trying to find out actually what controls do they have in place and then secondly if you want to supplement that information with some sort of external data like a threat intelligence feed or like um a standing tool that is the way we recommend clients set up their programs and and there are now also tools like ours for example wristler the way we work is instead of like static assessments the idea is you connect with the company and they almost use our platform to help manage and govern their security and so it actually turns that inside out view into a much more Dynamic and continuous way uh or continuous feed of information that you can then feed off of to find out actually what's going on across the entire security program within that company and yeah it's uh in an ideal world that would be perfect just external data showing you where to look which is practically I don't know if anyone in the audience would discrew that but practically I've never seen a program like that work at all yeah thanks anyway um I've got one more question that I'd like to ask from from Nicholas who's asked a couple of really interesting questions so thank you Nicholas out there so the one I want to ask is often when you ask for information you receive the reply business confidential regardless that you have the Clause giving you the right to do so so from my perspective it isn't that easy to do Assessments in depth do you have a suggestion on how to deal with this yeah so we see we see that a lot and particularly manual programs and funnily enough that's a symptom and being on the supply side in the previous job that is a tactic they use to try and Dodge reviews and when they can and it's a symptom of you have to imagine some of these suppliers will have 10 000 clients and they'll have 10 000 people asking a bunch of questions and for the sales team anything that slows down a deal will kill a deal and so for them they basically the security team has to do everything they can to try and Dodge these reviews so that's a classic tactic uh to try and Dodge these reviews and fundamentally that's why we built risledger the idea is the supply can do it once and all of their clients can feed up with that one pot of information so it removes that capacity problem and allows them then to open up a little bit more without being flooded with further questions um but yeah in terms of dealing with that the only way you really can deal with that is one of twofold you can either turn to the business and honestly say we have not been able to assess the supplier in any real depth therefore this is the risk it's up to you to work with them or not and really try and change the way you describe that risk to the business or secondly and getting the businesses and typically the boards and the procurement teams buy-in that says unless a supply can meet the level of data that you require for you to be able to make judgment they will not procure for them and some of the best insurance programs I've worked on are where security is done to a supply and say can we have that data the supplier said no and then procurement picks up the phone and says well we're not buying from you then puts the phone down within 10 minutes security and then not having that buy-in is is difficult I'm gonna I'm gonna jump in as well on that Hayden it's really interesting you've said that because we have one more poll question which uh which I really want to ask I find it very interesting with um kind of what you said about the commercial angle so we're going to put up a final poll question which I hope will generate some really interesting questions so in your experience listeners uh How likely is it that a contract will be signed with a new vendor before a supply chain risk assessment is important that can't touch isn't what you you were just saying right it kind of deals let's let's spend a year assessing all of our supply chain always deal on the table that's you know let's let's take the box right so let's get some thoughts from the audience on uh on this because I find it's just an absolutely fascinating um uh predicament so so guys on the call Hayden and Michael have you had experience of this if you've got a gut Fields does it happen I'll let Michael go first in the operational space yeah well I mean it it comes back to the how good is procurement to put in those those requirements or demands for what the supplier had to deliver in case of anything so which which type of answers because let's face it there's also I mean a little excuse on the supply side is that it's it's a matter of supply and demand and if we are not demanding that they need to work with other things that the standard you know performance kpis and metrics that we are normally seeing in contracts and normally evaluating because it's a matter of price tag at the end of the day if we're not seeing these additional um security requirements that they have to deliver to a certain level information then it becomes difficult um and I think then the challenge is how do you then in your audits uh turn the question around not asking for what can you tell us about your incidents but asking them in the case that this kind of exploit happened what would you be able to deliver of valuable information that our stock could work with I mean try to put pressure on on the supplier and then evaluating their their their their their their hunger to to actually work with you and and then that let that be the guidance for selecting any supplier that you have to include in your supply chain I think that's yeah it's Echo all of that interestingly and I do get a lot of heat from speak to prospects on this answer but often I say um many times if a business is buying a supplier let's say that supplier is about to do something that triples your business's revenue and if they don't buy that Supply your business doesn't go under that is a bigger risk to the board than them working with the supplier that's insecure so security risk while it is a big risk and it soft and top Minds for all of us as Security Professionals as a CEO as a board it may not be the top risk for them at that time and so oftentimes you have to take that context into account and otherwise then the other thing to to kind of Bear in mind there is the board and the businesses buy-in if you're running an insurance program without any buy-in from procurement the business and the board that will happen a lot more often than if you do have their buy-in and their supporting running the program um yeah otherwise everything that Michael said just pretty much yes we're getting some really good engagement on the poll as well I think everyone's kind of agreeing that it it definitely happens uh and I think it's just interesting to hear your perspective on Matt Hayden in terms of of putting the wider kind of strategy in place because that's a good point actually I haven't thought about that I kind of thought well it deals a deal but actually what you know what was the impact Downstream in terms of bigger risk so it just it just feels like our levels of risk abstraction doesn't it um yeah if that's happening a lot the two things I would do would one reassess the board buy-in and maybe the stakeholder buying that you have and number two maybe look at your process again because oftentimes the other reason that happens is because your risk process is taking too long or is too clunky and the business see it as a barrier rather than an enabler and and that's where we win clients for example and they they come to us wanting to speed that process up so that they can uh really kind of get that business buying off the backup brilliant well James thank you so much for your time we are our time uh it's flown by it's been a really interesting discussion thank you very much for joining us hey the Michael thank you to the audience for for listening in and joining us and asking some really interesting questions and taking part in our polls um before we go we just like to say that you know this is part of a series that we're doing so please come come back next week tune in we're going to be talking again about supply chain but some more specifics on on how to address vulnerabilities uh we have a report on our kind of supply chain Assurance worker with secure which the URL is on the screen and also if you are looking to learn a little bit more about risk Ledger um there is the URL to go and understand a bit more about what Hayden's been talking about as well so and any final last comments Gents yeah thanks thanks for running the webinar if anyone wants to connect the meal LinkedIn feel free um but yeah thanks yeah I'm also good thank you brilliant thank you everyone um have a lovely day we're going to sign out but um thanks all for your time and see you at the next one