Supply-chain attacks like SolarWinds making headlines and causing domino effects to organizations involved have made third-party security risk a topic that’s present in boardrooms and SOCs alike. In fact, supply-chain attacks were reported as one of the top concerns of U.S. CISOs in 2021.
“While third-party risk is not necessarily new, it is something that is often a blind spot as it’s often not seen as a direct responsibility of CISOs and security teams,” said Gene Yoo, CEO of Resecurity®, Inc and former security executive at a major U.S. financial institution. “This blind spot is typically created when there’s a lack of visibility into the actual state of the cybersecurity posture and security team of the third-party vendor. However, when an incident does occur, that is when it quickly becomes an issue as the organization itself will take the blame for the breach.”
Today, organizations, government and the cybersecurity industry are taking this supply-chain challenge head-on to make this blind spot a bit clearer. From ‘trust but verify’ approaches to ensure better security posture from third-party vendors to implementing more rigorous DevSecOps protocols to ensure security is top of mind from end to end, both organizations and the industry are establishing new standards for their third-party vendors.
But where does that leave CISOs and organizations while this transformation takes place?
The lowest hanging fruit is implementing Third-Party Risk Management solutions that can identify the network, identity, technology and geographical risks, said Yoo... Please continue the article at the source