Securing the Supply Chain Risk

Dominic Vogel: Hello everyone. Welcome to a new edition of the Cyber Security Matters podcast. I'm your host, Dominic Vogel, and joining me as always, is my co-host Christian Redshaw. Christian, how are you doing today?

Christian Redshaw: I am good, sir. How are you Dominic?

Dominic Vogel: I'm doing very well. I'm excited for today's episode, and this is an episode sponsored by Optiv. And today's guest is Phillip Solakov. He's a director of client solutions based in Toronto, Canada, for Optiv. I know you gonna be really looking forward to that conversation.

Christian Redshaw: Definitely.

Dominic Vogel: So we will take a momentary pause here, and we'll bring Philip aboard.

Christian Redshaw: Let us do it.

Dominic Vogel: Philip, thank you so much for joining us in the Cybersecurity Matters podcast today. How are you doing?

Philip Solakov: Very well. How are you guys doing?

Dominic Vogel: We're doing fantastic. It's a rare sunny day here in November, in Vancouver. So we'll take it. So you're catching us on a good day. But we're, we're really looking forward to the conversation with you today. And I thought we would maybe just start off with, if you could share a little bit about your personal, and career narrative, sort of tell our listeners and viewers, more about the amazing story that is Philip.

Philip Solakov: Sure. Well, I studied in university. electrical engineering, and business. And I got a job with Telus as a marketing analyst, and kind of worked my way through many different roles, from you know, managed services in security, in routing and switching, and voice, and WAN. And eventually, got to do some really cool stuff, like building out really interesting projects, across different clients in Canada, and, you know, kind of really getting a sense, for what the B2B business is like, in the managed services, telco, and security space. I got the privilege of working in Western Canada, in ILEC territory, that's incumbency, local exchange carrier territory, where Telus actually owns all the copper, And also in Toronto as well, with CLAC, the competitor. So, you know, having both sides of the Telco experience was super great. And the last six years of my time at Telus, I was pretty much focused on cybersecurity exclusively, running a team of architects, and complex solutioning consultants. And we were building out really, really cool projects, like big data analytics, standing up security operations centers, you know large infrastructure projects as well, for some large healthcare, and financial services companies. And for the last three years, I've been at Optiv. And Optiv is probably the world's largest cybersecurity pure play. Where we kind of cross all breadth of cybersecurity, and have a lot of expertise, in almost every area you can think of.

Dominic Vogel/Christian Redshaw: That's a heck of an intro. Looking forward to diving deeper with you on some of these questions here. Yeah, and I think, thank you for sharing that Philip. I think before we dive in deep, let's just state, kinda at a high level of why cybersecurity matters, just to start and set the tone. Let's say that you're talking to a board member or, you know, a corporate executive, and they're maybe, you sense that they're skeptical about the importance of cybersecurity, about, you know, making an investment, of time and resources, into cybersecurity. Let's say they're a two out of 10. What would be your message to them? What were the, what would be the elements that you'd wanna get across to them, to maybe bring them up to like a nine or 10 outta 10, when it comes to the importance of cybersecurity in their organization?

Philip Solakov: Well, I think cybersecurity is ultimately a question of risk. It's a question of what are the risks of your business? What are the different types of critical business processes that you might have? And you know, what is it that you're trying to achieve in your business? So cybersecurity is, you know, kind of, you got the security triangle, right: the CIA triangle of confidentiality, integrity, and availability. That's very important. But as we're moving forward, as you know, I think that both global governments are talking about different kinds of legislation, which is now seeping into, not seeping into, but really becoming more, more important, with different kinds of boards, across different kinds of organizations, different kinds of industries. There are mandatory compliance that will be relevant to those boards of directors, they'll have to worry about. It's not just something that the cyber team will now be dealing with, the legal risk, and compliance teams, will all be working with those as well. So the board will have to know about that. I think back to my previous point, which I kind of didn't quite make as well as I wanted to, it really is about securing the operation of the business. So if we can't collect revenue, if we can't deliver the packages, if we lose our client's trust, if we have the wrong kind of brand reputation damage, like you know, if clients no longer trust us to use our website, to buy our products, to do whatever it is or maybe it's just an availability issue of, they just can't get in. I think all of those are critical risks that the business owner absolutely has to be worried about. And it's absolutely relevant to a board of directors at this point. Cybersecurity is not just an IT thing anymore, it's across the organization.

Christian Redshawl: Yeah, I think, I think that's a very good answer, and I think that would hopefully be convincing to most business leaders today. So we're seeing it become a little bit more widely accepted, and more mainstream. So we appreciate that. When it comes to the lack of security, say, in your supply chain, you know, wherever it is, your vendors, your suppliers, what bearing does that have on you, as an organization? What relevance do their cybersecurity weaknesses have to you?

Philip Solakov: Sure. I mean, this is a great question. And this comes down to the idea of, what is the supply chain, in our in business today? What are the different types of risks that we might face? And, you know, how does working with many other partners increase our risk? I kind of want to talk about, really quickly, the different types of supply chain vulnerabilities, or attacks that can happen, at a very high level. You know, one, you know, we work with third party organizations, who have legitimate access to our, our systems. We are working with them, and transacting as business partners. Next, we're acquiring software, or we're building software. And when we're building it, or we're acquiring it, there are tons of tons of code dependencies behind that software And all of those create individual vulnerabilities, that we that we do have to worry about. And this is kind of where the idea of a software bill of materials comes in. And then we also have hardware issues in our supply chain as well, in the manufacturing process. Or it's not as easy, as well, not that it's easy to do a software bill of materials, and that's fine. But at this point, you know, but it's becoming something that's more commonplace. But in the hardware world, I mean, in the manufacturing process, something could happen that's undocumented, and you might never know it's there. So I think that all of those things, all those three areas, really combined into, this is what a supply chain looks like, this is what could increase our risk of working with so many other third parties. Once a third party is potentially compromised, that could be an entry point into your business, or your organization.

Dominic Vogel: Just maybe as a follow up to that, Philip, when we're talking about, you know, from the supply chain perspective, we're seeing more organizations, you know, starting to care about it, given threats that you laid out there. Are you seeing from a, I'll rephrase this. There's two sides of it, right? There's the larger organizations that would likely care more about the supply chain risk, compared to maybe some smaller organizations. Smaller organizations are in a position now, where they need to prove their security reliability to these larger organizations, whether that through the RFP process, or vendor risk management. I'm curious sort of on both sides, like with smaller organizations, are you finding that they're being more proactive because they recognize that if they're not able to prove their security reliability, that they'll be flagged as being, you know, potential part of, a risk in the supply chain? Curious to your thoughts on that?

Philip Solakov: Yeah, absolutely. I'm gonna answer that question in in a second. I want to bring up the fact that this is kind of highly relevant. It's not just large organizations that are targets, it's every organization at this point. I did wanna bring up earlier, and I forgot to, but Blackberry published a global survey in October of this year. I think they just released the survey in its entire form on their website recently, maybe yesterday. They polled about 1500 senior IT cyber decision makers. They found that 80% of organizations have been notified of a vulnerability somewhere in their software supply chain, in the last 12 months. So it's everywhere, and everyone should be worried about this, and actually talking to their partners, their suppliers, about cybersecurity. I think that the answer to your question is this: You have to determine the supplier criticality, try to understand, what is a supplier providing you? Are there alternatives? Are you kind of bound to that one particular supplier? Once you understand, you know, the critical suppliers that you have in your business, you may have to actually mentor, and coach those suppliers, to improve their cybersecurity practices. That's coming straight from NIST. The idea is, we have to assess, and hold our third parties, our suppliers, to some sort of standard. That is probably different for every organization, depends on the supplier category. But I mean really, the idea is you know, do an assessment. Maybe there's a formal certification that they have to go through. And this can be very difficult, because an organization can have tens, hundreds, thousands, tens of thousands of third parties that they work with, as suppliers, as partners, depending on the nature of that business. It can be very difficult to do a security audit of every single business that you work with . But I think it is important to understand the ones that are most mission critical. Focus on, you know, prioritizing those ones, of course. Yeah, I think that's kind of the answer there. It really is up to you, to go and understand which suppliers of yours are the most critical, to understand what their risk profile is, and what they're doing around cybersecurity, so that they're not creating exposure to you.

Dominic Vogel: For sure. And I appreciate that response, Philip. And just taking it a step further, exactly, you're saying there, you know, you have to take a risk-based approach, right? Maybe focus on more the higher-risk vendors, But you know, so what tools are available to organizations that want do that? Let's say, you mentioned doing that assessment on a vendor, unless these organizations are large enough, that, they have people in their procurement team, or what have you, to do that, what solutions are available to organizations that wanna be able to do that, but don't have the people power to do so?

Philip Solakov: Well, you know, I've heard of people using Excel, which is a bad idea , to manage and track risks, and all the different suppliers, and vendors, in their ecosystem. I don't wanna talk about specific technologies. I think that, you know, there are plenty in the world, to do third party risk management style services, and risk scoring. You know, you can Google that, and you'll find tons of results. And there's plenty of good software platforms out there, mostly SaaS, which is great, easy to set up, and easy to consume. There are also consulting organizations, managed services teams, that will be happy to help you set up that program, assess the different risk profile of your different vendors, you know, work with you, whether you want to insource, or outsource, and build that program out for you, and then even potentially, help conduct different types of surveys, audits, questionnaires, et cetera. I think that the questionnaires that you're gonna typically use, we're gonna have to be built around some sort of framework. So it really depends on what that security framework is, that you decide to use in your organization.

Christian Redshaw: Thank you so much, Philip. I just have kinda one more question. I think it's a big question. When we're talking about, okay, the general cyber threats, yes, they exist in the supply chain, for the supply chain organizations, at the different levels of their processes, and they exist for you as an organization. What would you say the top, you know, one or two threats to be concerned about right now, and what kind action steps, or protection steps, would you recommend to build protection, around your, you know, information assets?

Philip Solakov: I think that probably, this is a tough question, because there are different ways to answer it, right? There's the 10,000 foot view of, let's understand our risks, but then there's also practical questions of what could I do tomorrow, and have a meaningful impact? I think visibility, identifying what's in your environment. I think that's kind of one of those number one critical steps. You can't really secure, or protect what you don't understand, that you have in your environment. You have to know what's there. So understanding what your assets are, what your crown jewels are, where the data is, where it's going. I do think that an overlooked area in our industry, is data security. From data governance, through classification discovery, monitoring, loss prevention, I think that that's an area that doesn't doesn't get enough traction, for whatever reason. I think that maybe historically, perimeter security was just easier to conceptualize, but now we're seeing that you know, data is extremely important. I think that not one of the one or two easiest things to do, but one of the one or two most important things to do, probably also around resiliency. So are you ready for the breach when it happens? Can you recover from that breach when it happens? And that recovery question is really interesting. It's about understanding what those business processes are. It's about, what does it take to actually get your business back online? It's not just a question of backups, it's a question of people, and process, and the technology. It's about making sure that when you do restore your systems, that you don't have lingering, you know, active exploits.

Dominic Vogel: No, that was spot on Philip, and gosh, gosh, we really, really appreciate all the insights and wisdom that you shared with us today, and with our viewers and listeners as well. That was a fantastic conversation. Christian and I are very grateful for you taking the time out to join us on the Cybersecurity Matters podcast today. Thank you again.

Philip Solakov: Alright, thank you very much.

Dominic Vogel: Thank you. Awesome. Christian and I will be right back, to wrap up today's episode.

Narrator: Optiv is the cyber advisory and solutions leader, delivering strategic and technical expertise, to nearly 6,000 companies across every major industry. We partner with organizations to advise, deploy, and operate complete cybersecurity programs, from strategy and managed security services, to risk, integration, and technology solutions. At Optiv, we manage cyber risk, so you can secure your full potential. For more information, visit optiv.com.

Dominic Vogel: Well, we covered a lot of ground there with Philip, and I am very grateful for the insights and wisdom that he shared with us today. What was one of your sort of key takeaways from that conversation?

Christian Redshaw: You know, I imagine Philip is not only a cybersecurity leader, but he's in the trenches as well. He has a lot of deep experience in managing cyber risks, particularly when it comes to the operational side. So when he talks, you know, we should definitely listen up. It was just really helpful, for me to see how he approaches cyber risk, particularly managing your supply chain, and thinking about the criticality of each supplier. Absolutely. I think it was a really great area for us to focus on, you know, how Phillip is breaking down supply chain risk, and how organizations can have greater power, and greater control, from a risk reduction perspective, around, you know, controlling that risk of the rise through the supply chain, through third parties. So very grateful to Philip today, for joining us on the podcast and very grateful to Optiv for sponsoring today's episode. And as always, we're grateful to our loyal listeners and viewers, who join us each and every week. If you did happen to miss a previous episode, do check out old episodes on the Cybersecurity Matters YouTube page, or listen on your preferred podcasting platform. Until next time, be well be safe, and we'll see you again sometime in the near future, on the Cybersecurity Matters podcast.