3rd Party Risk Management , Governance & Risk Management , Security Information & Event Management (SIEM)

Evaluating and Reducing Supply Chain Risk

Vikram Asnani of CyberGRX Says the Supply Chain Is a Top Concern

Attacks on software supply chains can be difficult to detect yet devastating if one has occurred. But organizations can take steps to limit the risk from their suppliers, says Vikram Asnani, senior director of solution architecture with CyberGRX.

Third-party suppliers may send a certificate of assurance when questioned about their controls, but that's not good enough, Asnani says. The certificate is "just an attestation that someone has done it, and you're relying on that blindly," he says.

The biggest risks come from the long tail of suppliers that are likely never queried about their own cybersecurity practices. But there are detectable warning signs.

Asnani says an example would be if a supplier has a patch management program in place but doesn't have visibility over all of their assets or if a supplier has a SIEM but isn't collecting logs.

"Those are key red flags that people can quickly identify," Asnani says.

In this video interview with Information Security Media Group, Asnani discusses:

  • What risks organizations face from their supply chains;
  • How organizations can ensure suppliers are meeting baseline security controls;
  • Why potential supply chain security problems may be missed.

Asnani has 15 years of global experience in assisting clients across risk management, cybersecurity strategy, third-party risk, cloud migration, business continuity and data privacy, through advisory and managed services offerings with a motto of using technology as an innovative solution for driving maturity. He is currently a solution architect for CyberGRX.

About the Author

Jeremy Kirk

Jeremy Kirk

Managing Editor, Security and Technology, ISMG

Kirk is a veteran journalist who has reported from more than a dozen countries. Based in Sydney, he is Managing Editor for Security and Technology for Information Security Media Group. Prior to ISMG, he worked from London and Sydney covering computer security and privacy for International Data Group. Further back, he covered military affairs from Seoul, South Korea, and general assignment news for his hometown paper in Illinois.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.