Previous blog posts have talked about the expansion of regulatory purview of existing authorities, and how that is affecting businesses of all sizes - whether or not they are specifically regulated. Others have talked about the value of market-based security, and how procurement and contracting can be leveraged.
Regulatory authorities aside, businesses are applying the same scrutiny independently. I’m sure everyone has, at one time or another, seen the questionnaire regarding information protection controls that precedes a network trust relationship. For example, a company that provides outsourced benefits management is going to house customer employee data, to include SSNs, insurance information, and health data.
That’s a big target, and before proceeding you would want to make sure that they don’t have any wildly open doors or windows. So we’re all getting used to this.I think this is a good trend, as it makes security more aligned with market forces, providing a capitalism-based approach - you can make more money if you’re secure. It’s also becoming a necessity as we move into more networked means of managing power consumption, traffic management, asset tracking, and all the other “smart” energy / city / hospital / etc. technologies coming into the market.
The manufacturers of these technologies certainly bear the responsibility of ensuring that their products are secure (and a security certification system may be forthcoming), but I think we can all agree that’s good for a point in time only. Things deteriorate. Additionally, an integrator will likely be required to get the technology installed and working. Everyone in this food chain has a responsibility, and hardly ever are those responsibilities articulated contractually.
The manufacturer has a responsibility to address technical vulnerabilities in the product as they are discovered - notify, and provide a patch, update, or workaround - or completely replace the product. The integrator has a responsibility to work with the customer to ensure that the technology is deployed securely - changing default passwords, activating encryption and other controls that may be optional, and potentially applying manufacturer-supplied updates that can apply corrective action across the deployed base. And you - the customer - must provide activity monitoring and incident response capabilities.
Our collective attack surface is growing exponentially during a time of increasing criminal, nation-state and terrorist activity, while Internet-of-Things technologies are becoming preferred targets for extortion and are being weaponized to attack other entities. With this three-pronged method of addressing the life span of the technology - manufacturer’s assurance of security, integrator’s secure deployment and maintenance process, and customer detection and response - are all required. Of the three, two apply to third parties and are driven by contracts.
In short, if it can’t be shown to be secure and there’s no plan for keeping it that way, don’t buy it. Use procurement and contracting as the security tool it can be, or your “smart” organization may end up looking not so smart.
Type your search and press enter
- Threat Intelligence
- Happy Hour
- InfoSec 101
- Security Awareness
- Public Sector
- Financial Services
- Press Release
@critinformatics | Aug 21, 2018While enterprises are distracted by the latest AI/ML/SOAR tool, small businesses are getting back-to-basics and moving the #security needle. Read insights from @seattlemkh on how to simplify the #cybersecurity program effectively on a small biz budget. https://t.co/lv2f12C9FL https://t.co/a7FaBge9UL
@critinformatics | Aug 21, 2018RT @beyondnegative: Yay for stable internets! Go download my presentation and workshop outline/notes on Github: https://t.co/APcsUxxzS7
@critinformatics | Aug 21, 2018#ICYMI: Learn the 5 key questions that the #CISO should consider when conducting #riskassessment, and how those answers can support budget requests for the #cybersecurity program. https://t.co/lLibAzTUWF https://t.co/cVudQc4f23
@critinformatics | Aug 20, 2018#ICYMI: [VIDEO] It's #NewsJacker time with CI Security's #CISO @seattlemkh! Get caught up all the recent #InfoSec news you need to know, including stories on stolen data, privacy, #InfoSec litigation, Russia’s election meddling, and more. https://t.co/qsixvM7rI0 https://t.co/0Z4waKbRKy
@critinformatics | Aug 20, 2018While enterprises are distracted by the latest AI/ML/SOAR tool, small businesses are getting back-to-basics and moving the #security needle. Read @seattlemkh's insights on how to simplify the #cybersecurity program effectively on a small biz budget. https://t.co/nW5RBUG4k8 https://t.co/83WQ7FqkJ3