Research Report: Assessing Cyber Supply Chain Security Vulnerabilities Within the U.S. Critical Infrastructure
ESG Research Report
The primary objective of this ESG research study was to survey Critical Infrastructure and Key Resources (CIKR) organizations in order to qualify and quantify the current status of their existing security profiles as well as their awareness of and programs dealing with cyber supply chain security.
To assess cyber supply chain assurance, ESG asked 285 security professionals to respond to questions in areas such as: 1. Risk management
  • Has the organization experienced any security breaches? If so, what was the impact?
  • How would respondents rate the security threat landscape now as compared to two years ago? Do respondents expect the threat landscape to get worse over the next two years?
  • How well prepared is the organization for the current threat landscape?
  • Is executive management supporting and investing in cyber security?
2. Procurement
  • How important are IT vendors’ security processes in customers’ procurement decisions?
  • Do CIKR organizations audit the development processes of vendors before purchasing IT products? If so, is there a common model for these audits? Are these standard activities and processes across the enterprise?
  • Do IT vendors assume any liabilities for faulty or compromised products?
  • Do CIKR organizations hold system integrators accountable for the overall security of the systems they design, deploy, operate, and manage? If so, how?
  • To the best of their knowledge, have CIKR organizations purchased any counterfeit IT hardware/software over the past 12 months?
3. Software development
  • Do CIKR organizations include security considerations in their standard software development processes?
  • Have organizations experienced any security breaches related to internally-developed software vulnerability?
  • Do CIKR organizations require their internal developers to be trained in secure software development?
  • When organizations outsource their software development, are secure development processes a requirement for external outsourcers and contractors?
4. External IT security
  • To what extent do CIKR organizations currently open their IT systems to external parties such as customers, suppliers, and business partners?
  • If so, how are these relationships secured? Are there formal processes and safeguards in place?
5. The role of the U.S. Federal Government
  • Do CIKR organizations believe that the Federal Government should do more or less in terms of cyber security defenses and strategies?
  • What specific actions should the Federal Government take?
 
Report Info
Table of Contents
  • Executive Summary
    • Report Conclusions
  • Introduction
    • Research Objectives
      • 1. Risk Management
  • Research Findings
    • Respondents Are Unfamiliar with Cyber Supply Chain Security
      • What types of organizations are “very familiar” with cyber supply chain security?
  • The Current Security Landscape
    • ESG Data Insight
    • Security Breaches Cause System and Service Interruptions
      • ESG Data Insight
  • Cyber Supply Chain Security
    • Cyber Supply Chain Security and IT Procurement
    • Cyber Supply Chain Security and IT Vendors
      • ESG Data Insight
  • Cyber Supply Chain Security and Software Assurance
    • ESG Data Insight:
      • ESG Data Insight:
  • Cyber Supply Chain Security and External IT
    • ESG Data Insight:
  • Cyber Supply Chain Security: The Federal Government Role
  • Research Implications
    • For Critical Infrastructure Organizations
    • For the IT industry
      • For The U.S. Federal Government
  • Research Methodology
  • Respondent Demographics
    • Respondents by Job Responsibility
    • Respondents by Number of Employees
    • Respondents by Industry
    • Respondents by Annual Revenue
    • Respondents by Total Annual Budget
    • Respondents by Compliance Regulations