Advertisement

Live Chat

Live Chat 12/10: Security & the Supply Chain

150 comments on “Live Chat 12/10: Security & the Supply Chain

  1. Hailey Lynne McKeefry
    December 6, 2013

    Here's a little more information about our guest:

    Steve Durbin is Global Vice President of the Information Security Forum (ISF). His main areas of focus include the emerging security threat landscape, Cyber security, Consumerization of IT, Big Data, outsourced cloud security, third party management and social media across both the corporate and personal environments.Durbin has considerable experience working in the technology and telecoms markets and was previously senior vice president at Gartner. As global head of Gartner's consultancy business he developed a range of strategic marketing, business and IT solutions for international investment and entrepreneurial markets. He has served as an executive on the boards of public companies in the UK and Asia in both the technology consultancy services and software applications development sectors.

  2. Hailey Lynne McKeefry
    December 6, 2013

    Here's a little more informaiton abou the Information Security Forum:

    Founded in 1989, the Information Security Forum (ISF) is an independent, not-for-profit association of leading organizations from around the world. It is dedicated to investigating, clarifying and resolving key issues in cyber, information security and risk management and developing best practice methodologies, processes and solutions that meet the business needs of its Members.

     

    ISF Members benefit from harnessing and sharing in-depth knowledge and practical experience drawn from within their organizations and developed through an extensive research and work program. The ISF provides a confidential forum and framework, which ensures that Members adopt leading-edge information security strategies and solutions. And by working together, Members avoid the major expenditure required to reach the same goals on their own.

  3. jbosaavage
    December 10, 2013

    Excited about the chat in one hour! Should be interesting, especially for those of us in the retail sector.

  4. Ashu001
    December 10, 2013

    I hope to make it.Kinda late for my time!

  5. Hailey Lynne McKeefry
    December 10, 2013

    Thanks, Jennifer!

  6. Hailey Lynne McKeefry
    December 10, 2013

    Hang in there, @tech4people. Only 20 minutes until we start!

  7. Ashu001
    December 10, 2013

    @Hailey-I hope so!

  8. Hailey Lynne McKeefry
    December 10, 2013

    Feel free to font load thoughts or questions while we wait.

  9. Ashu001
    December 10, 2013

    The Thing about Supply Chain Security is that its a topic which hardly anyone is prepared to deal with currently.

  10. Ashu001
    December 10, 2013

    I mean how can you monitor/police such a disparate chain of events in one place?

  11. Ashu001
    December 10, 2013

    If it was easy when everything was in one place but now that we have everything spread all over the Globe what are you going to do about it?

  12. Hailey Lynne McKeefry
    December 10, 2013

    @tech4people, it's certainly more about mitigation than total security.

  13. Hailey Lynne McKeefry
    December 10, 2013

    We will be starting at 10:00 a.m. PST/1:00 p.m. EST sharp. First, though, there are two housekeeping notes:

    First, please make a copy of your post before hitting the “post” button – just in case.  If the system “eats” one of your carefully crafted thoughts, please hit “Ctrl-Z” to recover it.

  14. Hailey Lynne McKeefry
    December 10, 2013

    Second, if you have problems posting, we suggest trying a different browser.  IE9 is a popular choice, but sometimes find Firefox, Chrome, or Safari work better.

     

  15. Hailey Lynne McKeefry
    December 10, 2013

    This will be a fun, fast, and friendly conversation, so please do not hold back with your comments or questions.  There are no dumb questions and we value everyone's point of view.

  16. Hailey Lynne McKeefry
    December 10, 2013

    Questions, theories, ideas, real world experiences and even friendly rants are welcome here.

  17. Hailey Lynne McKeefry
    December 10, 2013

    And always, please announce your arrival so we can give you a warm EBN welcome and offer you some virtual  guacamole. 🙂

  18. stevedurbin
    December 10, 2013

    Hi Hailey, Hi everyone, this is Steve, thanks for inviting me along to the chat

  19. Hailey Lynne McKeefry
    December 10, 2013

    Hi Steve, you're right on time! Welcome… pull up a chair and help yourself to some virtual gaucamole and chips.  Everyone, steve's bio and some info on ISF are at the start of the chat.  Steve, to get us started, what do you see as some of the biggest challenges for the supply chain today in terms of security?

  20. stevedurbin
    December 10, 2013

    Thats a tricky one to start us off

  21. stevedurbin
    December 10, 2013

    Biggest challenges have to be really understanding who is in your chain, what info you're sharing and then what the 3rd parties are doing with it

  22. stevedurbin
    December 10, 2013

    So many organisations have multiple tiers of suppliers that keeping track can be difficult

  23. Hailey Lynne McKeefry
    December 10, 2013

    @Steve, we ask the hard questions here. 🙂

  24. stevedurbin
    December 10, 2013

    Keep em coming 🙂

  25. Jamescon
    December 10, 2013

    Hi, Hailey

  26. Hailey Lynne McKeefry
    December 10, 2013

    I know many organizations try to create security policies and push them through the supply chain. What are the elements of a good security policy?

  27. Rodney Brown
    December 10, 2013

    Howdy all.

  28. stevedurbin
    December 10, 2013

    Sharing with suppliers is essential, yet increases the risk of that information being compromised

  29. Scott Ferguson
    December 10, 2013

    Hi everyone. Happy holidays.

  30. stevedurbin
    December 10, 2013

    Before starting on the policy its about understanding the risk appetite you have in the organisation

  31. Hailey Lynne McKeefry
    December 10, 2013

    @Jim, glad to have you with us! We've got fresh guacamole on the table in the back. Help yourself!

  32. Hailey Lynne McKeefry
    December 10, 2013

    @Rodney, glad you could make it!  Pull up a chair and have some guac.

  33. Hailey Lynne McKeefry
    December 10, 2013

    Hey Scott, happy holidays… Steve says he's ready for our hardest questions on security. so don't hold back. 🙂

  34. stevedurbin
    December 10, 2013

    Then you need to make the policy practical, focused and relevant to your business – and of course understandable from the supplier side

  35. Scott Ferguson
    December 10, 2013

    Maybe this was asked before, but I wanted to see what the most common types of attack on the supply are? Are there ones we see over and over again?

  36. stevedurbin
    December 10, 2013

    Having done that, you're ready to start!

  37. Rodney Brown
    December 10, 2013

    Steve, I just saw a disturbing stat — More IT managers find it harder to enforce security policies in 2013 than in 2012, Is BYOD making this tougher or is it just a matter of lack of desire to push the enforcement?

  38. Ashu001
    December 10, 2013

    @Hailey-Absolutely Threat Mitigiation is extremely crucial

     

  39. Jamescon
    December 10, 2013

    For companies in manufacturing isn't securing the supply chain one of those situations where you want to ensure that your suppliers have all their T's crossed, but then you have to turn around and comply with the demands of the customers that you are supplying? Does that present any conflict in terms of security standards?

  40. stevedurbin
    December 10, 2013

    The kind of attacks tend to be theft of data, we see insider based attacks, its all about the data really since thats where the value lies and also about attacking the big company via one of the suppliers

  41. Ashu001
    December 10, 2013

    @Rodney-I have a feeling its because these things are becoming crystal clear and more transparent today.

  42. stevedurbin
    December 10, 2013

    @rodney for me enforcing policies are about winning hearts and minds – its about making sure that your policy is coauthored with the business and getting the business to enforce it not the security guy

  43. Ashu001
    December 10, 2013

    @Rodney-Otherwise one would have seen BYOD isues getting totally sidelined and sorted out by now.

  44. Hailey Lynne McKeefry
    December 10, 2013

    @Steve, “practical, focused and relevant to your business” I suspect easy to say and hard to do…. and then you have policy enforcement on top of htat.

  45. Scott Ferguson
    December 10, 2013

    @Steve: Thanks. So what are the benefits or trying to steal data from the supply chain, as opposed to typical attacks on a company network or DB? Is it a matter of stealing info to be sold later, or is a bit of corporate spying, trying to gain an edge?

  46. Rodney Brown
    December 10, 2013

    Tech4people, why would better clarity make the policies harder to enforce? Maybe less of a need to enforce them, sure, but I don't see how it would make enforcement harder.

  47. Scott Ferguson
    December 10, 2013

    @Steve: Thanks. So what are the benefits or trying to steal data from the supply chain, as opposed to typical attacks on a company network or DB? Is it a matter of stealing info to be sold later, or is a bit of corporate spying, trying to gain an edge?

  48. Ashu001
    December 10, 2013

    @Hailey-Its always about the people.Its the people who make it hard to do something usually.

  49. Hailey Lynne McKeefry
    December 10, 2013

    (Quick commercial: EBN's most recent Velocity e-mag just tackled the topics we are discussing now, so take a read: http://dc.ubm-us.com/i/207639)

  50. Jamescon
    December 10, 2013

    How much of a threat is DDOS for the companies you deal with?

  51. stevedurbin
    December 10, 2013

    @hailey, absolutely, but this is where the security guys can relly make a difference, by working with business owners to understand what they're trying to achieve and then supporting that effort

  52. Ashu001
    December 10, 2013

    @Scott-Its all about Individual IP.

  53. Hailey Lynne McKeefry
    December 10, 2013

    @Tech4people, the golden triad for me: people, processes and technology. You gotta have them all to succeed.

  54. stevedurbin
    December 10, 2013

    @scott I'll give an example, say pharma, if you can steal the IP on new drugs before a patent is filed – and towards the end of the process before filing that info is shared with lawyers as well as research partners, then that can be a hefty cost and a massively attractive target

  55. Scott Ferguson
    December 10, 2013

    @tech4people: So it's all corporate esponiage at this point. Is it other companies, or does it involve nation states, such as China, where there's a history or trying to compromise IP for a competitive gain?

  56. stevedurbin
    December 10, 2013

    @scott to secure the supply chain we need to look beyond just the traditional partners and bring in our lawyers, accountants, the non traditionals – and they may be the weakest linkand so the easiest route for the cyber thief

  57. Hailey Lynne McKeefry
    December 10, 2013

    @Scott, for electronics manufacturers, there's an additional and newly emerging threat–that malware makers try to get into the system so that their malware is loaded into the firmware of electronics products that connect to the internet–and so everyone who buys the product is infected and infects others. This one is less common but can you imagine the corporate PR nightmare that could ensue?

  58. stevedurbin
    December 10, 2013

    @tech4people yes IP theft for competitive gain is a biggy

  59. Scott Ferguson
    December 10, 2013

    @Steve: An interesting point. Has the supply chain been particuarly weak when it comes to this type of cyber security?

  60. Hailey Lynne McKeefry
    December 10, 2013

    how do some of the other headline topics (I'm thinking of big data and internet of things, for example) shift the way supply chain organizations have to think about IT security?

  61. Ashu001
    December 10, 2013

    @Scott-With China it tend sto get Institutionalized(at the Nation-State Level).With India,its more at the Individual Level(Hired Guns so to speak).

  62. stevedurbin
    December 10, 2013

    @scott I'm seeing very much more interest these days from the “professions” in terms of them having to address their security than before

  63. Hailey Lynne McKeefry
    December 10, 2013

    @Steve to your point, phishing and other social engineering stuff is getting much more sophisticated as well. it's not suprising that many of these weak links fall for the lures.

  64. stevedurbin
    December 10, 2013

    @hailey big data = big issue – potentially!  What I mean by this is that the biggest concern for me around big data is not the theft of information but the manipulation of data to cause big data analytics to come up with erroneous conclusiuons that take the business off course

  65. jbosaavage
    December 10, 2013

    @SteveDurbin, that's a huge issue with retail.

  66. Ashu001
    December 10, 2013

    @steve-That is Good news.

  67. Jamescon
    December 10, 2013

    Steve. Have you seen that big data manipulation happen in real life yet? Or is it still in the “possible” class?

  68. stevedurbin
    December 10, 2013

    @hailey correct, phishing is getting more and more sophisticated and keeping track of your second and third tier supliers becomes even more important – the further away from the source the more atractive to the cyber thief and the more difficult for the main enterprise to manage

  69. Hailey Lynne McKeefry
    December 10, 2013

    @Steve, for supply chain users, i could see that being catastrophic. What you buy, from whom, how much, when it will arrive, there are so many variables that could be potentially manipulated. I”m sure there are many breaches of security that never make headlines.

  70. stevedurbin
    December 10, 2013

    @jimc not seen anyone prepared to publicly admit – doesnt mean its not happened 🙂

  71. Scott Ferguson
    December 10, 2013

    @tech4people: Thanks for helping make that distinction. Have the issues regarding the NSA and it's ability to collect massive amount of information changed some of the conversation betweeen what China and India do and what the US can do?

  72. Hailey Lynne McKeefry
    December 10, 2013

    @jimC, great question.

  73. stevedurbin
    December 10, 2013

    @hailey yes, takes us onto the notion of how to effectively combat this and it is about collaboration, within the business and with other businesses across sectors and geographies

  74. jbosaavage
    December 10, 2013

    I fear that businesses could rely so much on data that there is no one doing a common sense, reality check on the numbers.

  75. Ashu001
    December 10, 2013

    @Hailey-Absolutely.which is why most don't even want to think about Supply Chain Security.

  76. JimOReilly
    December 10, 2013

    Steve I'm not sure a Big Data distortion would be detectable. The stock markets come to mind, You can make millions from a transient event.

  77. stevedurbin
    December 10, 2013

    @tech4people NSA has changed lots of conversations 🙂 Assume they have a view… well, don't be shy guys…!!!

  78. Hailey Lynne McKeefry
    December 10, 2013

    @jbosavage. glad you stopped by. Guacamole and chips are on the table in the back. still plenty to go around.

  79. jbosaavage
    December 10, 2013

    So you get a figure for 100,000 t-shirts, but it should be 50,000. A casual observer might not detect the error.

  80. stevedurbin
    December 10, 2013

    @jim O'R absolutely Jim and thats why the financial markets are so hot on monitoring  – other imndustries are not at the same level of sophistication yet

  81. jbosaavage
    December 10, 2013

    And the data can be manipulated from the inside, as well as outside intrusion, sadly.

  82. Ashu001
    December 10, 2013

    @jbosavage-That would be brutal.

  83. JimOReilly
    December 10, 2013

    Distortions could be subtle. Sentiment based forecasting is on the rise, and it's susceptible to someone jamming YouTube or Twitter with spurious hits.

  84. stevedurbin
    December 10, 2013

    Another issue of course is that many organisations focus only on managing info risk for a limited number of the most obvious – not necessarily the most risky – contracts

  85. stevedurbin
    December 10, 2013

    So, it becomes a real toughie to spot

  86. Ashu001
    December 10, 2013

    @jbosavage-Outsider Intrusions are easier to detect and monitor ;its the inside ones which are more worrying.

  87. Hailey Lynne McKeefry
    December 10, 2013

    The thing that has me worried is the way that differeent types of data can be culled from different systems and be made into more valuable information (customer names and bank routing numbers, etc.) The big data craze has systems much more closely connected.

  88. Hailey Lynne McKeefry
    December 10, 2013

    @Steve, what sort of questions should OEMs and distributors be asking to figure out the riskiest items to focus on?

  89. stevedurbin
    December 10, 2013

    The key to managing info risk in the supply chain is to employ an info-led, risk based approach

  90. JimOReilly
    December 10, 2013

    Some of the big fraud cases were insiders manipulating data trends. Barings comes to mind.

  91. jbosaavage
    December 10, 2013

    @SteveD, It does, but the human touch therefore, oddly, becomes desirable.

     

  92. Hailey Lynne McKeefry
    December 10, 2013

    @tech4people, insider threat is a big deal, whether the insider is malicious or ignroant.

  93. Michael Steinhart
    December 10, 2013

    @Steve – what are some examples of a 'most obvious' contract not being the most risky?

  94. Hailey Lynne McKeefry
    December 10, 2013

    @Jim, glad you could make it… pull up a chair.

  95. Michael Steinhart
    December 10, 2013

    @Steve – what are some examples of a 'most obvious' contract not being the most risky?

  96. Scott Ferguson
    December 10, 2013

    @Hailey: Are the people taking the data able to create a picture from all these different parts? Do you need a certain skill set to assemble it all?

  97. jbosaavage
    December 10, 2013

    Humans can make judgments or at least call odd figures into question

  98. stevedurbin
    December 10, 2013

    @jbos Doesn't it always

  99. JimOReilly
    December 10, 2013

    Data scrubbing and reasonability checking look like huge SaaS opportunities

  100. Michael Steinhart
    December 10, 2013

    Sorry for the repeat, everyone.

  101. stevedurbin
    December 10, 2013

    Overcoming some of the challenges is about identifying the info shared with suppliers and quantifying the risk to determine a proportionate response

  102. Hailey Lynne McKeefry
    December 10, 2013

    Hey Michael, welcome to the conversational fray! Glad you could be here. Have some guacamole.

  103. Ashu001
    December 10, 2013

    @Hailey-complications can be endless,if you do so.

  104. Michael Steinhart
    December 10, 2013

    WHat factors go into risk assessment? Geographic location? Security of the suppliers' systems?

  105. stevedurbin
    December 10, 2013

    @michael s I'm thinking here of the traditional supply chain management approach which mostly done by procurement has tended to focus on risk by size of contract – so a $100m contract gets attention but IP which has no $ ticket – yet – would get missed

  106. Hailey Lynne McKeefry
    December 10, 2013

    @Steve, what might be a proportionate response? is it about securing data, apps, systems, endpoints? What are the best practices from a technology standpoint?

  107. Michael Steinhart
    December 10, 2013

    Thanks, Hailey! I'm trying to cut down on the guac, though.

  108. Ashu001
    December 10, 2013

    @MIchael-Factor No.1 Is Employees.Factor No.2 is Technology involved.

  109. Michael Steinhart
    December 10, 2013

    Thanks, Tech4people. 

  110. stevedurbin
    December 10, 2013

    Risk assessment is aboiut determining the potential impact of the loss of data to your organisation – you'll want to take into account geography yes but also the degree of maturity of your suppliers' security, their willingness to share info with you and to discuss security

  111. Hailey Lynne McKeefry
    December 10, 2013

    @Michael, I know chrisrtmas isn't your gig…but guacamole and salsa are really festive. Start with the abstinence in the New Year… Besides, our virtual guac is very low cal. 🙂

  112. Michael Steinhart
    December 10, 2013

    @Steve – is it wisest to set up security procedures across the organization and apply them equally across all suppliers?

  113. Michael Steinhart
    December 10, 2013

    Hailey, you've twisted my arm. It's delicious.

  114. Ashu001
    December 10, 2013

    Good Food ALWAYS ROCKS!

  115. stevedurbin
    December 10, 2013

    @hailey yes its about all those things, but more about looking at the access points to those systems and ensuring that the basics are covered – the people awareness things are important too, its not just about technology and of course in many countries where supply chains extend, it can be a relatively low cost exercise to influence the people side to let you have info you would otherwise not have

  116. stevedurbin
    December 10, 2013

    @michael s I'd say not, that's a bit like trying to boil the ocean – I'd say look at it in bite sized chunks

  117. stevedurbin
    December 10, 2013

    What I mean by that is start with the information – whats the most important and critical to the business

  118. stevedurbin
    December 10, 2013

    Then track that info flow across suppliers, that'll identify where you need to focus yoir efforts

  119. Michael Steinhart
    December 10, 2013

    bite-size based on risk profile, though

  120. stevedurbin
    December 10, 2013

    Work with those supplers and identify the ones “at risk” – could be down to geography, could be that they dont have the most robust systems in place

  121. stevedurbin
    December 10, 2013

    Ane then start from there – its more manageable 

  122. JimOReilly
    December 10, 2013

    Steve, It would be worth checking the riskiest transaction types out early in the process, independent of size. Often large amounts of fraud occur in small deals.

  123. stevedurbin
    December 10, 2013

    Bite-size based on risk profile, right

  124. Michael Steinhart
    December 10, 2013

    that makes a lot of sense – let the data path indentify the riskiest links

  125. stevedurbin
    December 10, 2013

    @jim good point jim, I agree, some of the most damaging have been the small frauds which add up

  126. Hailey Lynne McKeefry
    December 10, 2013

    @Steve, the training piece is hard. everything i've seen and read has said that you have to make it part of the day to day business, by putting it in people's job descriptions (to protect corproate assets including data and systems); to do regular trainings, mention it in meetings, even put signs up on the wall (Don't share your password).  the problem is that the cybercriminals have unlimited attempts and only need one mistake

  127. stevedurbin
    December 10, 2013

    Also can be the most difficult to detect

  128. Hailey Lynne McKeefry
    December 10, 2013

    We are past the half hour mark…so dear guests, its time to get your last questions in. Steve, thoughts that you haven't had a chance to share?

  129. Rodney Brown
    December 10, 2013

    Hailey, another troubling stat I saw — 53% of companies conduct security tranining only yearly, and 14% only do it “ad hoc” — when someone screws up, basically.

  130. stevedurbin
    December 10, 2013

    @hailey, that's right, there were some stats I saw around phishing that said that I think if you received the same phishing email twice or three times you were more inclined to click and open it to find out what it was all about than if you only received it once – I love my spam filter and junk mailbox!

  131. JimOReilly
    December 10, 2013

    Training only goes so far. The pace of operations often puts security on a back burner, especially if people develop a high level of comfort in relationships.

  132. stevedurbin
    December 10, 2013

    Awareness is a biggy, we've said it for years and we'll continue to say it for many more to come

  133. Hailey Lynne McKeefry
    December 10, 2013

    @Rodney, and the really scary thing is that there's no telling what that 53 percent are calling “annual security training”. it might be a ten minute video or an email reminder.

  134. stevedurbin
    December 10, 2013

    @jim spot on jim, that's why I'm a fan of embedding security in the business – put a security guy out with the business teams so that security understands what is going on and can provide advice and guidance constructively and in a timely way

  135. Hailey Lynne McKeefry
    December 10, 2013

    and patching! Don't get me started about the need to patch applications and OSes regularly and with alacrity.

  136. JimOReilly
    December 10, 2013

    Security can be built in to operations. Financial companies look fro behavioural trends with traders, as well as changes in trading pattern. It's sophisticated, but it can trap problems early.

  137. Michael Steinhart
    December 10, 2013

    Sorry, folks – I have to jump off. Thanks for the insight!

  138. Mitch Wagner
    December 10, 2013

    I just came out of a meeting where we discussed some points very relevant here: Security isn't just an internal matter. Partner security impacts your security. The nuclear power plant doesn't have to just worry about its own security; it has to worry about the security at its catering company. 

  139. Hailey Lynne McKeefry
    December 10, 2013

    @Steve, that would be an idea world with security close to the business. Let's hope people listen to you!

  140. stevedurbin
    December 10, 2013

    @mitch – that's right Mitch and also the provider of paper and and and 

  141. Hailey Lynne McKeefry
    December 10, 2013

    Hey Mitch, good to have you with us. That's a critical comment that you are making! your partners mistkae can be your downfill.

  142. stevedurbin
    December 10, 2013

    @hailey I'm on a mission… 🙂

  143. Hailey Lynne McKeefry
    December 10, 2013

    @Steve, and EBN is glad to provide the forum for your mission! I'm right there with you!

  144. stevedurbin
    December 10, 2013

    @ glad to know I'm in good company – and there's plenty of guac to go round too 🙂

  145. Hailey Lynne McKeefry
    December 10, 2013

    I'm going to draw us to a close, but thank you very much for coming by Steve! We're glad to have you come anytime. And thanks everyone for asking some great questions.

  146. stevedurbin
    December 10, 2013

    Good supply chain info risk mamangement needs to be integrated with vendor management and based on a follow the information approach – I'll leave you with that thought!

  147. stevedurbin
    December 10, 2013

    @hailey thanks for having me, been fun, see you all soon

  148. Hailey Lynne McKeefry
    December 10, 2013

    Preach it!

  149. jawadyacoub
    April 20, 2014

    Hello,

     

    Looking for a solution for antishoplifting that can work for small items such as rings and accessories.

     

    Please advise

     

    Jawad

  150. lhawrence
    June 8, 2015

    nice post

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.