How to secure more resilient supply chains – when a large firm might have not only third parties that it may be sharing data with, but fourth and fifth parties, suppliers of suppliers – was the subject for a webinar yesterday as part of Infosecurity Europe.
Suppliers not telling you that they’ve lost your sensitive data may be annoying; in fairness, do you even know who all your suppliers are? Adam Drabik, the former CISO of Opel Vauxhall Finance, suggested there’s a ‘golden middle’ of a mid-sized firm that can count all its suppliers.
A small firm only has a few suppliers; that may be easy to control, but can that small firm afford to gain the international information security standard ISO 27001 to show its info-security, which a large customer may ask for? Probably not, if the cost of gaining ISO is equal to its turnover.
The large firm may have the staff to do processes and governance – and may have to, to meet financial or other regulations – but does that big firm know all the thousands of suppliers it’s sharing data with? If you are having to enforce security standards on a supplier, ‘the boat has already sailed’, said Christian Toon, CISO at the law firm Pinsent Masons LLP.
That law firm has 3500 employees in 25 offices, several in the UK and the rest abroad as far afield as Hong Kong, Beijing, Singapore and Australia. As Christian Toon put it, ‘we have certainly had a very interesting couple of months since lockdown happened, not only here in the UK’. Speaking more generally, he said hat it’s only security people that really think security is important; everyone else, whether those running the business or in functions such as marketing, are in business ‘to do a thing’. A security practitioner has to recognise that sometimes you will get over-ruled: “But there will be a valid business reason behind that.” It may be that security is down the business agenda, and it should not be a problem to concede that, for the greater good.
Like others during the Covid-19 lockdown, he spoke of pressure to approve things quickly, while covering the risks, so that the business can be operational. “Have we cut corners, or put off mitigating controls? No, we have just had to re-prioritise.”
The conversation turned to what makes a resilient company. Adam Drabik spoke in terms of discussions about risk, with the right executives.
Infosecurity Europe ran this month as an online conference only; it is due to return to London Olympia from June 8 to 10, 2021.
More in the July 2020 print edition of Professional Security magazine.
