In this episode of the SecurityANGLE, I’m joined by fellow analyst, engineer, and member of theCUBE Collective community, Jo Peterson and Cassie Crossley, VP of supply chain security, cybersecurity, and product security office at Schneider Electric.
Before we get too far along, I want to share some background. Schneider Electric is a French multinational company specializing in digital transformation and energy management. The company combines energy tech, software, real-time automation, and services to transform homes, buildings, data centers, infrastructure, and industries. Earlier this year, the company launched its new Industrial Digital Transformation Services, designed to help industrial enterprises achieve future-ready, innovative, sustainable, effective, and end-to-end digital transformation.
Why Software Supply Chain Security?
Why is there a focus on software supply chain security? Supply chain security is the management of the supply chain that focuses on risk management of external suppliers, vendors, logistics, and transportation. It’s safe to say that today supply chain and the security of the supply chain play an outsized role in successful digital transformation initiatives. Adding to that, the proliferation of software throughout the tech stack potentially exposes organizations to greater risk than ever before, which makes managing and securing the supply chain crucial when it comes to the ability of vendors to deliver software releases that are trusted and reliable and for end-user customers to know they are using software developed with security as a foundational element.
The Rise in Supply Chain Breaches: Data Shows Companies are Ill-Equipped to Deal with Supply Chain Threats
As is the case with security breaches in general, according to the State of Supply Chain Defense Annual Global Insights Report 2023 published by supply chain threat monitoring company, BlueVoyant, the average number of supply chain breaches increased by 26% from 2022 to 2023 and the mean number of supply chain breaches increased to 4.16 incidents in 2023 from 3.29 in 2022.
The BlueVoyant report shares that companies remain ill-equipped to understand the extent and nature of the threat to business from third-party vendors. The real challenge has emerged: getting supply chain vendors to consistently address risk promptly after being made aware of a vulnerability or security issue.
The good news, however, is that while supply chain breaches have increased, so have budgets, with 85% of survey respondents indicating they have increased their budget for supply chain/third-party security over the last 12 months.
And this is why Cassie Crossley, with her deep expertise in software supply chain security, is a guest we’ve been looking forward to talking with.
Check out the full episode: A Dive into Software Supply Chain Security with Schneider Electric’s Cassie Crossley
Our conversation today covered:
- Why the focus on third-party cyber risk management, and what makes that so critically important today.
- Crossley shared suggestions for other supply chain pros on three ways a strong supply chain security program can help identify, analyze, and mitigate risks associated with working with outside vendors and organizations as part of your supply chain.
- Smaller firms often don’t have dedicated application or supply chain experts; Crossley shared advice on how organizations of any size can implement a software supply chain security program.
- The Lehigh Business Supply Chain Risk Management Index was released on March 29th showing that cybersecurity was identified as the #1 risk for the fifth straight quarter and, not surprisingly, generative AI has become a concern for supply chain managers. Zach Zacharia, associate professor of supply chain management and director for the Center for Supply Chain Research at Lehigh said that thoughts about generative AI and how that might increase their companies’ vulnerability was identified by survey respondents as the second highest risk after worries about customer risk. Crossley shared thoughts on the risk generative AI poses as it relates to the software supply chain, and how to think about navigating that.
- We explored the risks that generative AI brings as it relates to supply chain, and how to combat those, as well as thoughts on what makes a supply chain resilient.
As we wrapped the show, we discussed the reality that there are no established, one-size-fits-all guidelines for software supply chain security. However, we left the audience with thoughts on a few of the crucial elements needed to develop a strategy and advice on how to get started.
Find us on social media here:
Shelly Kramer on LinkedIn | Twitter/X Jo Peterson on LinkedIn | Twitter/X
Cassie Crossley on LinkedIn | Twitter/X
Image credit: Pexels Marcus Spiske
See more of our SecurityANGLE episodes and security coverage here:
SMBs and Cyber Risk Management: How to Up the Cyber Protection Game
4 Generative AI Cyber Risks that Keep CISOs Up at Night, and How to Combat Them
Cradlepoint Launches NetCloud SASE to Serve and Secure Agile Enterprises