Government, ISO 27001 Certification

What is Software Supply Chain Risk Management and Why Should We (as an Org That Uses Software) Care?

Screen Shot 2022 10 03 at 6.55.29 PM
Reading Time: 2 minutes

Last Updated on October 3, 2022

As software eats more of the world, and more of that consumption takes place in the cloud and through software-as-a-service (SaaS) solutions, new “compound” cybersecurity risks are being created that orgs haven’t faced before.

What does this new software supply chain look like? And why is understanding and managing these new risks so important?

To provide much-needed insight into software supply chain risks and how forward-looking businesses are addressing them today, Willy Fabritius, Global Head of Strategy & Business Development, Information Security Assurance at SGS, joined a recent episode of The Virtual CISO Podcast. The show’s host is John Verry, Pivot Point Security CISO and Managing Partner.

Not as easy as it looks

Software supply chain risk management is the risk management activity associated with your software supply chain. But what does that actually mean? What and where is that supply chain?

Willy notes that it all comes down to an accurate inventory of all the software tools, SaaS apps, components, APIs, etc. you’re using that come from third parties. If you don’t know what you have, then you cannot manage it.

“I am discovering that more and more companies have challenges with telling me an answer to this very simple question: What kind of software are you using?” states Willy. “Everybody comes up with the top five, six, whatever. SAP, SalesForce, Microsoft 365… But what is with all those other pieces of software we are using, but maybe they’re not official suppliers?”

Like that “almost free” online service you just signed up for, that never came up on your purchasing department’s radar. Chances are there was no assessment done of the associated risk. Yet this new partner—whose security posture you may know nothing about—could be handling confidential data. Or they could become almost irreplaceable within your business process. So, what if they go down or go out of business?

Applying the CIA triad

Risk from software doesn’t just relate to your data. As John points out, it can also relate to business continuity.

“When we see a large block of AWS or Microsoft Azure go out, and all of these interrelated services also have outages, and those stack up the wrong way for your organization, you can think about it from a security risk perspective where somebody’s going to lose information,” explains John. “But I think the scary risk is that business continuity/availability risk—the ability to get things done.”

“It comes back to InfoSec 101: Confidentiality, Integrity, Availability,” observes Willy. “At the end of the day it comes down to analyzing every situation against those three parameters. In some cases, the confidentiality might be the more important thing. In some cases, it might be the availability.”

But the question is, who is doing the risk assessment on service providers and the software supply chain? And when is that happening?

Say your marketing team is sharing prototype/futures information with your ad agency using a SaaS app the agency recommended. Are you just sharing that data with your agency and taking on those risks? Or are you also taking on risks associated with the collaboration app, including what might happen if it crashes, leaks data or goes out of business?

What’s next?

To hear this cutting-edge show with software supply chain expert Willy Fabritius all the way through, click here.

Why is there so much buzz around supply chain risk management? John Verry saw this one coming: John Verry’s 2022 InfoSec Prediction #3: Supply Chain Risk Management Will Continue to Grow in Importance

ISO 27001 Recipe TNISO 27701 Certification Guide
Discover what you need to achieve ISO 27701 certification!

You are 6 simple steps away from "provable" compliance with every Privacy regulation.

Back to list

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *