Securing the digital value chain

 ARTICLE | November 15, 2022 | 2 min read

Securing the digital value chain

New business models often create new vulnerabilities

By Evan Ramzipoor, Workflow contributor


Editor’s note: This story originally appeared in the Unleashing Digital Value issue of Workflow Quarterly.

At the start of the pandemic, supply, vendor, and personnel shortages forced companies to adopt new ways of working—quickly. These rapid pivots helped many firms survive. They also created serious security risks.

COVID-19 forced changes to how companies worldwide produced and delivered products and services—their value chains. Often, these value chains evolved faster than organizations’ cybersecurity capabilities.

As a result, hackers carried out devastating assaults. Notably, the 2020 SolarWinds attack affected up to 18,000 SolarWinds customers, including the Pentagon and U.S. Department of State. Since then, there have been near-constant attacks on SolarWinds’ vendors and suppliers, says Larry Clinton, president of the Internet Security Alliance (ISA). SolarWinds is not an outlier: Clinton says many executives still don’t take cybersecurity seriously.

“We’re making the same mistakes with AI and other technologies that we did with the internet,” he says. “We’re waiting until we use them everywhere before we wake up to the fact that they aren’t secure.”

In a recent ServiceNow/ThoughtLab survey on innovation, more than half of respondents reported significant progress modernizing IT systems. A quarter made similar progress automating workflows, improving processes, and harnessing AI, the cloud, and the IoT.

However, our research on cyber risks shows that more than 40% of respondents fear their cybersecurity efforts are not keeping pace with their digital transformations. Two-thirds report that remote work has exacerbated risks. Almost half say an increase in vendors and suppliers has created new vulnerabilities.

In its list of best practices for managing supply chain risks, the National Institute of Standards and Technology emphasizes that every department, from product marketing to engineering to human resources, should run their own risk assessments and security tests on vendors and partners. Due to a severe shortage of tech talent, most companies don’t have enough security professionals to do this work.

To augment these understaffed teams, organizations need an integrated system that facilitates collaboration with vendors, triages vulnerabilities, and uses AI to anticipate threats. One such system is from MITRE, a nonprofit research firm that works with the U.S. federal government. The company developed a predictive tool that can identify bad actors across the internet. Such tools can replace human security analysts, or be used to help security teams identify threats.

To secure their value chains, companies must rethink and prioritize their approaches to security, says Karl Klaessig, director of product marketing for security operations at ServiceNow. “In the 21st century, no corporate board should make a serious decision without discussing it with legal, finance, and also cybersecurity,” he says.

Related

 Facilitate Collaboration Between IT Operations Management and Security Operations with AIOps

Related articles

Cybersecurity needs women
Q&A
Cybersecurity needs women

Training and development advocate Lisa Kearney on closing a critical talent gap.

The future of security is automated
COLUMN
The future of security is automated

There aren’t enough security analysts in the universe to manage a rising tide of threats. Automation can help.

Understanding your organization’s security posture
ARTICLE
Understanding your organization’s security posture

How the enterprise can mitigate exposure and risk

Securing hospitals against cyberattack
ARTICLE
Securing hospitals against cyberattack

The healthcare industry is a soft target for nation-state and terrorist hacking groups. Waiting for the next attack is not the answer.

Author

Evan Ramzipoor is a writer based in California.