‘In Case You Missed It’ - Season 10 mashup
We've taken some clips of wisdom from five of our guests this season and brought them together in a neat package for you. This season in partnership with LastPass, we focused heavily on third party risk and supply chain security.
The Security Collective podcast is proudly brought to you in partnership with LastPass, the leading password manager.
Transcript
CP: Hello, I'm Claire Pales and welcome to the season 10 Mashup episode.We've taken some clips of wisdom from five of our guests this season and brought them together in a neat package for you. This season in partnership with LastPass, we focused heavily on third party risk and supply chain security. To kick the season off, I spoke with Susie Jones. Susie and I discussed supply chain risk, small business fitness and the recent changes in security legislation. Susie also shared her thoughts on the role of government in securing all businesses. In this clip, Susie and I talk about the challenge of managing the risk across your full supply chain.
Episode 95 - Susie Jones
SJ: Some of the challenges then of managing your full supply chain risk is how many suppliers do you have? And how many suppliers did they have as well? So it's not just third party suppliers. It's fourth, it's fifth, it's sixth party, because you might have a number of you know, decent sized contracts, you're pretty comfortable with the security clauses and protection that those suppliers offer you. However, if they're sub-contracting, and just about everybody is in some way, shape, or form these days, then there's a risk there that you're completely blind to. So even if you're able to really wrap your arms around all of the security maturity, at a point in time, in all of your own direct suppliers, you're really kidding yourself if you think that that first of all is applicable even a week later. And second of all, that that's the full picture, because all of your suppliers also have suppliers, everybody is connected. And so that's why I think we need to change the way that we're thinking about this, we need to stop thinking about this as an assurance. As a, you know, I need to know what the number is I need to know how mature it is. And we need to be thinking, Okay, if there's no way for me to ever figure out a number or a score, if there's no way for me to know that on any given day, then let's talk about the trends. Let's talk about how can we gradually support all of our suppliers, whether they're big or small, to improve with us with their security. If there's different things that you're trying within your organisation to improve the security of your organisation, then why not share that with your suppliers and see if they are willing to adopt that control or approach as well. There's still too many silos within security that the information on how we're protecting our organisations is not shared. And unfortunately, cyber criminals are some of the best collaborators in the world. They share everything. And yet us, the good guys, don't share much at all. We share intelligence amongst ourselves, but not necessarily approaches and the steps that we're taking to improve security. And we don't even share that with our own suppliers. So if we can become a lot more collaborative in our approach to security, then the question stops becoming, what is the maturity of our supply chain cyber risk, and starts becoming what activities have we undertaken with our suppliers to support them in improving? And have we seen any evidence that they've been effective in making improvements?
Episode 97 - Ellis Brover
CP: In episode 97 former Toyota Australia CIO Ellis Brover shared his thoughts on incident response through the lens of a CIO. We discussed how security maturity can dictate reporting lines, how organisations should seek to test the reality of systems being shut down because of an incident, and really how moral support goes a long way during a cyber incident. In this clip, Ellis talks through the value of doing cybersecurity scenario drills.
CP: How exposed are companies who aren't prepared and who don't even do drills? I mean, drills are great, they're great learning experiences. But even if you're doing those, a lack of preparation, where does that leave an organisation?
EB: I think it leaves them with an unnecessary level of organisational risk, that often isn't really appreciated. I think the wonderful thing about the maturity of IT these days, is that most of our colleagues and business divisions rely implicitly on these systems. They're always going to be there, you can rely on them always being on in the morning when you come in until you can't. And the trouble with that is that I think organisations have lost their knack to actually work around the absence of IT systems to operate business processes manually. And I think that's a really important conversation that we need to have. Hopefully not during a crisis, but before. What would you actually do if all the systems are down for a few weeks? We don't normally think of that scenario, don't we? Generally, if we have an outage, it's, you know, it's for half an hour, it's for an hour, it's for a few hours, it's overnight. It's annoying, it's frustrating, but it doesn't genuinely disrupt the business and force people to operate manual processes. But what if it's for much longer than that? How would you operate your company for several weeks, if you imagine you have no IT systems at all. And I find most people just don't think through that scenario. Or if they do, it's very, very shallow. Oh we'll do it on paper, we'll do it with a spreadsheet. But if you haven't thought through how you will do it, you inevitably find it in the cold light of day that you've missed something. You've missed that one critical, tiny departmental system that sits in a corner that nobody thinks about, that doesn't have any backup, that doesn't have any disaster recovery plan, but that actually your key business process hinges upon.
CP: Yes. And I think the other thing is there's a big difference between being able to operate on pen and paper, and the reality of operating on pen and paper. And you know, if I think about a retail store, yes, you can operate potentially writing receipts on pen and paper and somebody's marking down the widgets that you're selling. But that could become very tiresome very quickly. And so yes, in theory, you can operate on pen and paper, but even for a few days or a few weeks, that could be pretty labour intensive for staff, and they're just going to get burnt out. It's a very difficult scenario to play out in your head until you're actually in it, even if in theory, it might work.
EB: Absolutely. And you've got to start thinking about things like how you're going to get paid for those things. It's all very well to ship out goods, provide services, how we're going to get paid, how we're going to keep track of what needs to be paid, how we're going to maintain our compliance obligations afterwards so we can actually update our backend systems to reflect what happens on paper. You've got to think about those things. And even Claire, to be honest, the simplest things that seems trite, but I've seen a number of times that situation where your plan for a manual workaround says I'm going to call my customers by phone, and I'm going to take their orders. Except of course, when all the IT systems go down, you don't know their phone numbers anymore, because your phone contacts have been wiped and your email systems are inaccessible because the IT people have turned them off. Then what do you do? I mean, it's incredibly simple, right. But if you don't think through that kind of thing, in advance, you get caught in real life.
Webinar part 1 - Alla Valente & Vijay Krishnan
Webinar part 2 - Alla Valente & Vijay Krishnan
CP: Midway through the season, we co hosted a webinar with LastPass and I was fortunate to be joined by Alla Valente and Vijay Krishnan. Alla and Vijay shared their insights on supply chain security versus third party risk. We split the episode into two after the webinar had run for an hour. And in part one, Vijay covered APRA’s CPS234, and the need for effective security controls, not just compliant ones. We also covered the role of legal and procurement in a third party assurance process. And then in part two, the second episode, we discuss software supply chain, how to navigate fourth party risk and talks about offshore supply chain risks such as privacy and data sovereignty. In this short clip, Alla and Vijay covered the hidden risk of fourth parties that you may not be aware of.
VK: So fourth party is always a tricky one, because we go into agreement with a third party first. And then we have all the legal contracts in with a third party. But I think it's prudent on us to ensure that in the legal contract, you have some statements for their supply chain as well for fourth parties to ensure if there is a breach who is accountable in the event of a breach. That's why it's very important when you enter into a third party relationship. We have clearly defined RACI roles and responsibilities in terms of you know, there is an issue who is accountable for what. We need to get that agreement in place before we sign the contract. Which may include in our having a good view on the fourth party, if it's a fourth party breach, who's accountable for it? Is it the third party or is it the primary organisation, so it's very, very important. And also, as I said to you before, all these legal clauses are good from a financial perspective, and also for terminating contract if you're not happy with the service. But from a reputational brand impact perspective, doesn't matter if a third party or fourth party, the primary organisation will be impacted.
CP: Alla, what are your thoughts around fourth parties?
AV: The challenge with fourth parties is that majority of organisations don't know 100% of their own third parties. Because there's so many relationships inside of the organisation. Some of them have been through procurement, some maybe have shadow procurement, so maybe not even on the radar to be able to do that type of risk assessment. Then there are these fourth party relationships. Now, if you have procurement, remember, I mentioned embedding some security questions into the RFP. One of those questions should be to list all the key fourth parties that are required for your third party to be able to deliver whatever this product service good is. So now at least you have a list of who those key fourth party say relationships are. Also you should be asking them whether or not they are assessing, and may be doing a scan, cybersecurity scan, or even asking for an updated business continuity plan of their key fourth parties. But even if that fails, we're seeing the rise of several types of tools. One is supply chain mapping, where you can visually map the different relationships to identify those fourth party dependencies. And also see, hey, do I have three, four or five third parties that are all using the same fourth party, because that can let you know about some concentration risk as it exists. But there are also a category of tools called supply chain elimination. Where you might not know who your fourth parties are, but they deploy bots that can look at things like different relationships, even payments that go between organisations to make connections and discover these fourth party entities that perhaps you didn't know you had. So there are some ways to fill in those gaps.
Episode 101 - Grant Chisnall
CP: In Episode 101, I really enjoyed chatting with fellow podcaster Grant Chisnall. Talking with Grant we covered a lot of ground, including the escalation from incident response to crisis management, we talked about business collaboration before an incident, and how to plan for resilience while mopping up a cyber incident. Here's a taste of what Grant shared.
CP: You mentioned earlier around bringing the business together and across functions. And if you're going to future proof an organisation and be prepared, how is bringing those functions together, strategically going to help the business to be future proofed?
GC: Future proofing for organisations is crucial from that preventative stage, as well as having that alignment with the overall business strategy. And so, it's okay in some cases for different teams come together to plan what they might be doing to address contingency. But they also need to have the consideration of the longer term strategic intent of the organisation. So a plan, for example, about failing forward might involve failing forward to a new set of infrastructure, if something does fail at this point in time. If you have a situation where you've broken something, then you might be looking at another third party as part of enhancing your resilience to the future events. Either way, bringing the whole organisation together, the leadership, alignment with board, but then also the IT or technical teams and the operations teams helps really shorten that gap in awareness between what has happened and the expectation around when it can actually be restored. It's probably the biggest issue we see, is that the more technologically savvy an organisation is, the closer that gap is. So people understand if they're, if they're technologically proficient, they'll understand that if something happens, it's going to take X amount of time at least. But when they're not, and they're just relying on turning on a computer every other day, and let's face it, most middle aged males around my age and above who are in these senior positions often struggle with those basics on tech. Then the challenge there is really how do you manage their expectations if something goes wrong? How do you manage your expectation of a complete failure scenario? So the whole point about that planning and bringing everyone together is about closing that gap in understanding and then closing any gaps around expectations post incident.
Episode 102 - Paul Barrett
CP: As we brought the season to a close, I was joined by Paul Barrett, and we talked about the cyber culture in local government, how the government model for cyber is changing for the better. And Paul shared why he sees audit as a gift. In this clip, Paul shares how he manages cyber as a CIO with so many competing priorities.
CP: So given that, you know, you're in front of the board talking about cyber, but you're actually the CIO, and you have so many plates spinning when it comes to leading technology, how do you prioritise cyber amongst all of the other plates that you've got spinning and amongst all the other demands that are on a CIO, whether you're local government or big business? You know, the tech leader now is probably different to how tech leaders were of yesterday, I guess, what's your approach?
PB: So I think I'll start by saying that strategically speaking, and I'm not sure that many of us have this right yet. I certainly don't. But cyber needs to stop being a prioritised initiative or project, and become more of a continuous improvement programme. So initiatives and projects tend to be a one time deliverable. And maybe that's the case when you're looking at a firewall or product replacement. But long term, there needs to be a much bigger focus on the ongoing programme. So I think there's a few choices that you need to make, and it's how you're going to resource projects or the development of your long term programme. Are you going to bring in external expertise or support if you don't have any resource. And in lieu of that programme, you need to continue to manage some of that risk through embedding mandatory requirements or standards in tender procurement, documentation, etc. As well as your day to day procedures or your day to day governance controls as well.
CP: And all of that doesn't just come about through technology or processes, it actually comes about through people and getting them on board with change. And one of my favourite topics to talk about is culture. And back in season nine, we spent the whole season talking about influence and behaviour change and how challenging it is to measure and really embed a cyber culture. What are your thoughts around cyber culture, and how challenging it is to maybe shift culture within local government, specifically.
PB: Culture change of any type, it's something that can take a long time to embed in an organisation. Local government is a very unique beast in itself, we have a very diverse set of services that we offer our community, and the background of staff who we have delivering those services is very different too. They come from various sectors of government and private industry as well. Cyber culture can be difficult to embed, because it's a challenging subject for most people to grasp. It has a list of ever growing acronyms and technical jargon associated with it, it can often be brushed off to the side because it's just too hard. So creating a cyber culture probably needs to start fairly simplistically. You know, we often message out to people in the business, if you're not sure, just call IT because we can make that assessment for you. I think the more communications we put out around that will help encourage people to report or question something when it wouldn't, doesn't seem quite right or suspicious. So to me, that's the beginning of the cyber culture, being aware. Where we need to get to is elevating cyber to be second nature. And as I said earlier, it's not a one time deliverable or a point in time phishing campaign, it's an ongoing practice and ongoing culture. Race car drivers don't get good by reading the owner's manual for a car, and athletes don't become an elite athlete by just eating well or training. It's the ongoing practice and rigour around what you do.
CP: So that's a wrap up of season 10's Mashup episode. If you liked these clips, please go through the back catalogue of episodes for season 10 and the previous seasons before that, and you can pick up the wisdom of our guests across more than 100 episodes. Thanks so much for joining me and I'll see you next time on The Security Collective podcast.