CISOs need to bridge the gap between security concerns and business outcomes to ensure everyone plays an active role in third-party risk management. But effectively communicating that risk comes down to knowing your audience - from employees to the board, said CyberGRX's Caitlin Gruenberg.
With the federal government's software bill of materials regulations looming, many organizations are not ready to respond, warned CISO Sean Atkinson of the Center for Internet Security. He provided tips for ensuring transparency in the software supply chain and preparing for SBOM regulations.
The Iowa Department of Health and Human Services has reported to federal regulators its third major health data breach involving a vendor since April. This time, Iowa HHS/Medicaid says the data of nearly 234,000 individuals was compromised in a mega hack recently reported by MCNA Insurance Co.
Synopsys stands head and shoulders above the competition in Gartner's application security testing rankings, with Snyk rising and HCL Software falling from the leaders category. Longtime app security players Veracode, Checkmarx and OpenText joined Synopsys and Snyk atop the Gartner Magic Quadrant.
Supply chain is critical for application security because most firms rely on third-party software components. The ease of injecting vulnerabilities into open-source components makes software bill of materials a critical need, said Minatee Mishra, director of product security at Philips.
Attacks like Kaseya and SolarWinds have highlighted the supply chain risks and demonstrated how securing the supply chain can no longer just be considered a compliance function. It has evolved into a risk management function, said Fred Kneip, chief executive officer at CyberGRX.
The security of hundreds of MSI products is at risk due to hackers leaking private code signing keys stolen during a data breach last month. The signing keys allow an attacker to push malicious firmware updates under the guise of regular BIOS update processes with MSI update tools.
Many of the cyber-related questionnaires that organizations ask their third parties to complete "are too broad" and not properly focused on questions related to the services or products being offered by that vendor, said Cassie Crossley, vice president of supply chain at Schneider Electric.
Some of the most sophisticated cyberattacks are being targeted at third-party suppliers in an effort to affect their critical clients, said Ashan Willy, CEO of Proofpoint. But often client organizations affected by these attacks do not even realize a key supplier has been hit, he said.
Data breaches are often the result of hackers exploiting bugs in third-party service providers to make their way to larger organizations. Rishi Rajpal, vice president of global security at Concentrix, discussed how to pick the right partners and mutually benefit from each other's services.
In the latest weekly update, Venable's Grant Schneider joins ISMG editors to discuss takeaways from the RSA Conference 2023, the state of software supply chain security post-SolarWinds, safeguards to prevent unintended adverse impacts of AI, and whether AI could be used to write and digest SBOMs.
Cybersecurity professionals are stressed out, overworked, underpaid and working on short-staffed teams, said Candy Alexander, president of the ISSA International Board. She advised organizations to look for the right indicators of a good cybersecurity culture.
Organizations with a security-by-design approach need to go beyond being reactive to a proactive, offensive strategy to strengthen their security posture, says Mrutyunjay Mahapatra, member board of directors and chairman of the audit committee at Reserve Bank Innovation Hub.
Cybersecurity trends observed in the Asia-Pacific region are similar to what you might see elsewhere. What differs is the type of regulations. But it helps to take a big-picture view and follow broader global trends, said Satyavathi Divadari, cloud CTO, OpenText Cybersecurity.
Supply chain attacks once were the exclusive provenance of nation-state hackers, says Eric Foster, strategic advisor to Stairwell. But not anymore. "More and more of those are moving downmarket," he said. "These days every threat would qualify as an advanced and persistent threat."