|
Conclusion
Although cyber supply chain security has improved somewhat over the last five years, there is still cause for concern. IT and information security professionals at critical infrastructure organizations believe that the threat landscape is getting worse and that cyber supply chain security is growing more difficult. Furthermore, more than two-thirds of critical infrastructure organizations have experienced a multitude of types of security incidents, including those emanating from vulnerabilities in software they developed in-house. Finally, many critical infrastructure organizations are pursuing new types of IT initiatives like cloud computing, mobile applications, and IoT projects. These technologies are in their genesis phase and may be fraught with vulnerabilities. Meanwhile, cybersecurity best practices and skills around IT innovation also lag behind.
|
虽然cyber供应链安全改善了有些在过去五年期间,有寂静的令人担心的事。 它和信息安全专家在重要基础设施组织相信威胁风景得到更坏,并且cyber供应链安全增长更加困难。 此外,超过重要基础设施组织的三分之二在他们开发得内部的软件体验了一许多安全事件的类型,包括发出从弱点的那些。 终于,许多重要基础设施组织追求新型的它主动性象云彩计算,流动应用和IoT项目。 这些技术对弱点是在他们的创世纪阶段,并且也许是忧虑的。 同时, cybersecurity最佳的实践和技能在它附近创新也滞后后边。
|
All of these factors add up to continuing cyber supply chain security complexities. Based upon the research data presented herein, ESG offers the following recommendations for critical infrastructure organizations, IT technology vendors, and the U.S. Federal Government.
|
所有这些因素增加由继续的cyber供应链安全复杂决定。 基于研究数据提出了此中, ESG提议对重要基础设施组织的以下推荐,它技术供营商和美国。 联邦政府。
|
For Critical Infrastructure Organizations
|
为重要基础设施组织
|
ESG’s research indicates that not only are critical infrastructure organizations inadequately prepared for the current threat landscape, but most are compounding this problem by not doing enough to mitigate the risks associated with cyber supply chain security. To address these shortcomings, critical infrastructure organizations should:
|
ESG的研究表明不仅是为当前威胁风景不充分地准备的重要基础设施组织,但多数通过不做足够缓和构成这个问题 风险与cyber供应链安全相关。 要演讲这些缺点,重要基础设施组织应该:
|
Assess cyber supply chain risk across the organization. Since the cyber supply chain includes a broad range of participants, including IT vendors, suppliers, business partners, and contractors, many critical infrastructure organizations delegate cyber supply chain security management to a variety of internal groups and individuals. While this makes sense at an operational level, it makes it impossible to get a comprehensive perspective of cyber supply chain security or accurately measure cyber supply chain risk. To alleviate this unacceptable situation, CISOs and risk officers should take the time to map out their entire cyber supply chain—every partner, IT equipment vendor, SaaS provider, supplier, etc. Clearly, this will take time and require ample resources, but an end-to-end and up-to-date map of the cyber supply chain is an essential foundation for situational awareness and proactive risk management.
|
估计cyber供应链风险横跨组织。 因为cyber供应链包括参加者,包括它供营商,供应商、商务伙伴和承包商的一个宽广的范围,许多重要基础设施组织委派cyber供应链安全管理对各种各样的内部小组和个体。 当这有道理在操作水平时,它使它不可能得到cyber供应链安全全面透视或准确地测量cyber供应链风险。 要缓和这个不能接受的情况, CISOs和风险官员应该需要时间映射他们的整个cyber供应链子每伙伴,它设备供营商、SaaS提供者、供应商等等。 清楚地,这将花费时间并且要求宽裕的资源,但cyber供应链的一张端到端和最新地图是一个根本基础为情势了悟和前摄风险管理。
|
Integrate cyber supply chain security into new IT initiatives. When asked why cyber supply chain security has become more difficult, 44% of cybersecurity professionals blamed new IT initiatives that have increased the cyber-attack surface. This isn’t surprising given massive adoption of technologies like cloud computing, IoT, and mobile applications over the past few years. Unfortunately, new IT initiatives often prioritize business objectives at the expense of strong cybersecurity. Given today’s threat landscape, this type of laissez-faire approach to cybersecurity must be expunged from the organization. To address and mitigate cyber supply chain risk, CEOs must lead by example with the goal of building a corporate culture that inculcates strong cybersecurity into all business processes, programs, and supporting IT initiatives.
|
集成cyber供应链安全新它主动性。 当问为什么cyber供应链安全变得更加困难时, 44% cybersecurity专家责备了新它增加了的主动性cyber攻击表面。 这不是技术的惊奇的特定巨型的采用象云彩计算, IoT和在过去几年流动应用。 不幸地,新它主动性牺牲强的cybersecurity经常给予商业目的优先。 必须从组织除去特定今天威胁风景,自由放任方法的这个类型对cybersecurity的。 要演讲和缓和cyber供应链风险, CEOs必须由例子带领打算建立反复灌输强的cybersecurity入所有业务流程,节目和支持它主动性的公司文化。
|
Fully integrate security into IT procurement. ESG data demonstrates that processes and procedures governing IT vendor security audits lack consistency and usefulness. As mentioned, best practices for IT vendor security audits should include the following steps:
|
充分地集成安全它获得。 ESG数据显示出,治理它的过程和规程供营商安全审计缺乏一贯性和有用性。 作为它的被提及的,最佳的实践供营商安全审计应该包括以下步:
|
Audit all strategic IT vendors (including service providers, cloud service providers, and distributors).
|
验核所有战略它供营商(包括服务提供者、云彩服务提供者和经销商)。
|
Follow a standard process for all vendor audits.
|
跟随一个标准过程为所有供营商审计。
|
Implement a corporate policy where IT vendor security audit metrics have a significant impact for all procurement decisions.
|
实施一项公司政策,它供营商安全审计度规有重大冲击为所有获得决定。
|
A stringent audit process should pay for itself by lowering cyber supply chain risk over time. It will also send a clear message to IT vendors: Adhere to strong cybersecurity policies and procedures or hawk your insecure products and services elsewhere.
|
一个严密审计过程应该支付本身通过随着时间的过去降低cyber供应链风险。 它也将派遣一则清楚消息到它供营商: 遵守强的cybersecurity政策和规程或者在别处hawk您不安全的产品和服务。
|
Address all aspects of software assurance. As in other findings in this report, critical infrastructure organizations have made progress on software assurance since 2010, but these improvements are based on additional tactical actions rather than an end-to-end strategic approach. Software assurance must be anchored by a secure software development lifecycle and the right skill set for secure software development. Furthermore, software assurance best practices must be followed with no exceptions. This demands an enterprise program for internally developed software as well as stringent controls on third-party software development, maintenance, and testing. Leading companies will also impose testing and quality standards on all commercial software.
|
论及软件保证的所有方面。 和在其他研究结果在这个报告,重要基础设施组织在软件保证获得了进展自2010年以来,但这些改善根据另外的作战行动而不是一种端到端战略方法。 必须由为安全软件开发和正确的技巧停住软件保证设置的一个安全软件开发生命周期。 此外,必须跟随软件保证最佳的实践没有例外。 这在第三方软件开发,维护和测试要求企业节目为内部被开发的软件并且严密控制。 主导的公司也将强加测试和质量标准给所有商业软件。
|
Formalize external IT security. When it comes to cyber supply chain security, risk associated with working with third-party partners must be managed and mitigated with the same care as internal activities like vulnerability scanning and patch management. In fact, strong cyber supply chain security has become an SEC mandate and will likely find its way to other industries beyond financial services. Once again, this demands a consistent, documented, and measurable approach for third parties that provide IT services to or consume them from an organization. Aside from legal contracts, governance frameworks, and certifications, CISOs should explore new types of cyber intelligence designed for monitoring third-party risk from vendors like BitSight and SecurityScorecard.
|
形式化外部它安全。 当它来到cyber供应链安全时,必须处理和缓和风险与工作与第三方伙伴交往以关心和内部活动一样象弱点扫描和补丁管理。 实际上,强的cyber供应链安全成为了SEC命令,并且可能寻找它的道路到其他产业在金融服务之外。 再次,这要求一种一致,被提供的和可测量的方法为提供它的第三方为服务对或消耗他们从组织。 除法律合同、统治框架和证明之外, CISOs应该探索为监视第三方风险设计的cyber智力的新型从供营商象BitSight和SecurityScorecard。
|
Push for more help from Washington. Like many other critical issues, cybersecurity has been relegated into partisan politics and pork barrel programs. Critical infrastructure organizations should work together, come up with legislative recommendations, lobby for action, and make sure to keep the public aware of any partisan behavior or stalling in Washington.
|
为更多帮助推挤从华盛顿。 象许多其他重要问题, cybersecurity被转移了入党羽政治和政治分肥节目。 重要基础设施组织在华盛顿应该共同努力,产生立法推荐,为行动游说,并且保证保留公众明白所有党羽行为或停顿。
|
IT product and service providers should view this report as a harbinger of things to come. Critical infrastructure organizations have much work ahead, but ESG data does indicate clear progress since 2010. It is therefore wise to recognize that critical infrastructure organizations are slowly but surely making strong cybersecurity a requirement for all IT vendors. To prepare for this security transition, the entire IT industry must:
|
它产品和服务提供者应该观看这个报告作为事作先驱来。 重要基础设施组织有前面工作,但ESG数据清楚地表明进步自2010年以来。 认为因此是明智的重要基础设施组织慢慢地,但肯定做强的cybersecurity所有的一个要求它供营商。 要为这安全转折做准备,整个它产业必须:
|
Build comprehensive internal cybersecurity programs. Several large IT vendors including Cisco, IBM, Microsoft, Oracle, and VMware have not only created strong cybersecurity programs internally, but also published details about these programs for customer review. Typically, these programs include features like cyber supply chain security management, secure product design, security testing, employee training, IT security, and security services and support. All IT vendors should study and emulate these programs to the best of their abilities.
|
修造综合内部cybersecurity节目。 几大它供营商包括Cisco、IBM、微软、Oracle和VMware内部不仅创造了强的cybersecurity节目,而且关于这些节目的出版细节为顾客回顾。 一般,这些节目包括特点象cyber供应链安全管理,安全产品设计,安全测试,职工培训,它安全和安全部门和支持。 它供营商应该尽全力学习和看齐这些节目的所有。
|
Take a solutions focus to cyber supply chain security. As secure as any one vendor’s products and processes are, business applications and IT infrastructure are composed of a myriad of connected piece parts working together. This means that IT vendors should take a proactive approach to engaging with product and services partners and participate fully in cybersecurity testing, deployment, and operations for complex IT solutions.
|
采取解答焦点对cyber供应链安全。 一样安全象所有一个供营商的产品和过程是,商业应用,并且它基础设施由无数连接的零件组成共同努力。 这意味着它供营商应该采用一个主动方法对产品与$$4相啮并且为伙伴服务并且充分地参加cybersecurity测试,部署和操作对于复合体IT解决方案。
|
Include strong security as part of customer engagements. Even the most diligent customers may not be aware of the cybersecurity intricacies of individual IT products. Smart vendors will work with customers to answer questions, recommend reference architectures, help them harden their products, and maintain a constant stream of communications.
|
作为顾客订婚一部分,包括强有力的安全保障。 最努力的顾客可能不知道个体cybersecurity复杂它产品。 聪明的供营商将工作与顾客回答问题,推荐参考建筑学,帮助他们硬化他们的产品和维护通信一条恒定的小河。
|
For the U.S. Federal Government
|
为美国。 联邦政府
|
While cybersecurity continues to be topical in the halls of Congress, this and other ESG research reveals a growing gap between cybersecurity professionals and Washington. To alleviate this disconnect and truly engage with the cybersecurity community, the U.S. Federal Government should:
|
当cybersecurity继续是典型的在国会时大厅里,这和其他ESG研究显露cybersecurity专家和华盛顿之间的一个增长的空白。 缓和这断开和真实地cybersecurity社区与$$4相啮,美国。 联邦政府应该:
|
Start with clear and concise communications. ESG research indicates that only 22% of cybersecurity professionals working at critical infrastructure organizations have a clear understanding of the government’s cybersecurity agenda. This may be because there are too many cybersecurity voices at different agencies, an abundance of programs with confusing acronyms, and far more rhetoric than action. The U.S. government can only rectify this situation by developing a comprehensive strategy for cybersecurity for critical infrastructure industries. Of course, there is no shortage of documents and programs that claim to do this, but the cybersecurity community at large is looking for one program, bipartisan support, strong and cogent communication, and a visible government leader who actually “owns” cybersecurity. Sadly, many cybersecurity professionals view Washington as part of the problem rather than part of the solution. Government officials will not reverse this cynicism without an honest two-way dialogue, a mutually beneficial partnership, and a clear long-term strategy.
|
开始以清楚和简明的通信。 ESG研究表明仅22%工作在重要基础设施组织的cybersecurity专家有对政府的cybersecurity议程的清楚的理解。 因为比行动,有许多cybersecurity声音在不同的代办处,节目丰盈以混淆的首字母缩略词和更多修辞这也许是。 美国。 政府可能通过开发一个全面战略只矫正这个情况为cybersecurity为重要基础设施产业。 当然,没有声称做此文件的短缺和节目,但cybersecurity社区在大寻找一个节目、两党支持、强和有说服力的通信和“实际上拥有” cybersecurity的一位可看见的政府领导。 哀伤地,许多cybersecurity专家观看华盛顿作为问题一部分而不是分开解答。 政府官员不会扭转这愤世嫉俗没有诚实的双向对话、一次相互有利合作和一项清楚的长期策略。
|
Treat cybersecurity as a national security rather than a political issue. After years of political wrangling, the Cybersecurity Act of 2012 received bipartisan support in the Senate Homeland Security and Governmental Affairs Committee. Unfortunately, the bill never proceeded to the senate floor for a vote. Why? It was a presidential election year, so finger pointing took precedence over collaboration. The cybersecurity legislation remains. In August 2015, the senate left Washington for recess without passing a pending cybersecurity bill on public/private threat intelligence sharing. While politicians continue to give stump speeches about data breaches, cyber-adversaries, and national security concerns, cybersecurity legislation continues to languish. Frustrated by this inactivity, President Obama issued several executive orders in this area. One of these led to the promising NIST cybersecurity framework—a good addition but more of a suggestion than anything else. The U.S. has faced an unprecedented wave of cybercrime and cyber-espionage over the past few years with no end in sight. It’s time for the President and congress to:
|
治疗cybersecurity作为国家安全而不是一个政治问题。 在几年政治争吵以后, Cybersecurity行动2012在参议院国土安全和政府事理委员会里接受了两党支持。 不幸地,票据未曾进行参议院议席为表决。 为什么? 它是一总统选举年,因此指点比合作优先。 cybersecurity立法依然存在。 在2015年8月,参议院离开华盛顿为凹进处,无需通过一个即将发生的cybersecurity法案在公开或私有威胁智力分享。 当政客继续给政治演说关于数据突破口、cyber敌人和国家安全关心时, cybersecurity立法继续衰弱。 沮丧由这不活泼, Obama总统在这个区域发布了几个行政命令。 这些中的一个比别的导致了有为的NIST cybersecurity框架好加法,但更多建议。 美国。 在视线内在过去几年面对计算机错误行为和cyber间谍活动史无前例的波浪没有末端。 是时间为总统和国会:
|
Fund cybersecurity education programs.
|
资金cybersecurity教育规划。
|
Expand the Cyber Corps program as a way to exchange cybersecurity training and tuition funding for public service.
|
扩展Cyber军团节目作为方式为公共业务交换cybersecurity训练和学费资助。
|
Improve the hiring process and compensation structure for federal cybersecurity professionals.
|
改进聘用的过程和报偿结构为联邦cybersecurity专家。
|
Create incentives for cybersecurity investments.
|
创造刺激为cybersecurity投资。
|
Work as an equal partner with the cybersecurity community at large. Make sure that federal cybersecurity programs in this area are equally accessible to all cybersecurity professionals in all industries and locations—not just within a few hundred miles of Washington D.C.
|
工作作为一个相等的伙伴与cybersecurity社区在大。 切记联邦cybersecurity节目在这个区域对所有cybersecurity专家是相等地容易接近的在所有产业和地点没有在几百英哩华盛顿特区内
|
Create and promote standards like STIX and TAXII for threat intelligence sharing.
|
创造并且促进标准象STIX和TAXII为威胁智力分享。
|
Share threat intelligence and best practices.
|
份额威胁智力和最佳的实践。
|
Limit liabilities to organizations that truly commit to strong cyber supply chain security.
|
限制责任到真实地做到强的cyber供应链安全的组织。
|
Impose penalties on organizations that continue to minimize cybersecurity.
|
强加惩罚给继续使cybersecurity减到最小的组织。
|
|
|