Quite simply, companies don’t put enough emphasis on securing their supply chain, says Grant Bourzikas.
Bourzikas would know —he’s the chief information security officer (CISO) at McAfee as well as vice president of McAfee Labs Strategy and Data Science. As the CISO for the $2.6 billion security company, he oversees cybersecurity and physical security strategy, including security architecture and solutions delivery, security governance, risk and vulnerability, and security operations and intelligence programs.
“My belief is we need to really spend time evaluating the risk of the supply chain partner to the overall business of the company and make a good business and security decision,” he tells Corporate Board Member. On March 4 in San Francisco, Bourzikas will join us at the Cyber Risk Forum to speak on “Securing Tomorrow’s Supply Chain.”
In advance of the event, Bourzikas spoke to us about the questions boards don’t ask when it comes utilizing blockchain and IoT and why the supply chain is so vulnerable to cyber attacks.
What are the biggest misconceptions that boards make about how companies should be utilizing blockchain and IoT?
The biggest misconception of blockchain is that organizations are widely adopting the technology. While I understand the technology helps drive non-repudiation of transactions, I haven’t seen it used in many businesses, and boards should ask questions around adoption and philosophy. However, IoT is a risk that that should be considered at the board level. We have seen from the Dyn attack that IoT devices are often not secured and can cause catastrophic impacts. My largest concern regarding IoT are the decisions businesses are making regarding sensors to capture more relevant data that help drive better operational decisions. Over the last few years we have seen this adoption and the introduction of machine learning, which has had a very positive effect on companies. However, because these sensors are cheap and purpose built, often by many startup companies, these devices aren’t secured nor is security factored into the manufacturing process which can leave organizations very vulnerable.
How should companies work with their business partners to ensure a blockchain/IoT-enabled supply chain is working correctly and won’t leave them at risk?
Security should start at the top and be discussed as part of the overall company strategy. Looking at supply chain and IoT, these are areas in which security has to play because they are vital to the business. We have seen many attackers target the supply chain manufacturers because they know it is simplistic to breach the smaller organizations as they have a direct line into the larger company. We have seen this in non-Petya and many other breaches. However, most organizations’ supply chain security processes are very ineffective because of the number of vendors and the lack of priority in the process. My belief is that we need to really spend time evaluating the risk of the supply chain partner to the overall business of the company and make a good business and security decision. Often we follow check box processes that creates a facade of security. IoT is a good example because I have seen companies procure and deploy sensors/devices that are critical to networks everywhere because they didn’t understand the security risk, ultimately leaving an organization vulnerable without even realizing it.
Why should boards be involved on these strategic initiatives – why not just delegate it to the C-Suite and the company’s in-house privacy experts?
Boards should ask questions specifically around supply chain, IoT and blockchain to make sure the organization is well equipped to manage the risk because organizations should be thinking about the strategic impact on the organization. Security, in general, should be something that is discussed at every board meeting because it has become vital to every business.
What is one takeaway you hope board directors get from this panel?
While I do understand IoT, blockchain, and supply chain are strategic considerations that should be factored into board and executive discussions, I want to make sure that boards are asking some of the more fundamentals questions. I often find boards ask great strategic questions, but not the basic security questions that ultimately drive posture and this is a mistake. One of my favorite discussions to have is “what do we want our security of company to look like” because we often focus on programs or specific questions and not the overall culture, health, and posture of an organization. Additionally, the output of a fundamentally strong security organization should be able to demonstrate and articulate the overall risk by business unit and answer many of the questions we have discussed.