Introduction

    Research Objectives

    In order to explore cyber supply chain security practices and challenges further, ESG surveyed 303 IT and information security professionals representing large midmarket (500 to 999 employees) organizations and enterprise-class (1,000 employees or more) organizations in the United States within vertical industries designated as critical infrastructure by the U.S. Department of Homeland Security (DHS). All respondents were familiar with/responsible for their organization’s information security policies and procedures, especially with respect to the procurement of IT products and services. Respondents also had to be familiar with cyber supply chain security as defined previously.

    The survey was designed to answer the following questions:

    1. Risk management

    Has the organization experienced any security breaches? If so, what was the impact?

    How would respondents rate the security threat landscape now compared with two years ago? Do respondents expect the threat landscape to get worse over the next two years?

    How well prepared is the organization for the current threat landscape?

    Is executive management supporting and investing in cybersecurity?

    2. Procurement

    How important are IT vendors’ security processes in customers’ procurement decisions?

    Do critical infrastructure organizations audit the development processes of vendors before purchasing IT products? If so, is there a common model for these audits? Are these standard activities and processes across the enterprise?

    Are vendor cybersecurity audits a critical component of IT procurement or do purchasing managers have the discretion to purchase from IT vendors with sub-par product and process security?

    3. Software development

    Do critical infrastructure organizations include security considerations as part of their standard software development processes?

    Have organizations experienced any security breaches related to internally developed software vulnerability?

    Do critical infrastructure organizations require their internal developers to be trained in secure software development?

    When organizations outsource their software development, are secure development processes a requirement for external outsourcers and contractors?

    4. External IT security

    To what extent do critical infrastructure organizations currently open their IT systems to external parties such as customers, suppliers, and business partners?

    To what extent do critical infrastructure organizations currently consume IT services and applications provided by external parties such as customers, suppliers, and business partners?

    How are these relationships secured? Are there formal processes and safeguards in place?

    5. The role of the U.S. Federal Government

    Do cybersecurity professionals working at critical infrastructure organizations understand the U.S. government’s cybersecurity strategy?

    Do critical infrastructure organizations believe that the Federal Government should do more or less in terms of cybersecurity defenses and strategies?

    What if any specific actions should the Federal Government take?

    Survey participants represented industries designated as critical infrastructure by the U.S. Department of Homeland Security (DHS). These industries include agriculture and food, banking and finance, communications, defense industrial base, energy (utilities, oil, and gas), transportation systems, water supply, health care, etc. For more details, please see the Research Methodology and Respondent Demographics sections of this report.