CSQA participated in the drafting of the book "Supply Chain Security: the risks of the supply chain" edited by the Clusit Community for Security .
Specifically, the supply chain relating to ICT services has undergone profound transformations over time, passing from solutions managed in internal data centers to outsourcing and the cloud, affecting not only the classic basic IT but also the automation of plants with OT (Operational Technology) and IoT (Internet of Things) solutions. The outsourcing of services has also resulted in more and more suppliers gaining access to the client's organization's IT systems.
This book discusses ICT supply chain security risks .
The term supply chain will therefore normally refer, implicitly, to the ICT one, although sometimes extending the treatment, more generally, to those digitized objects whose security is strongly correlated to that of their suppliers.
In particular, the Clusit Community for Security intends with this publication to provide some cross-functional suggestions such as:
- explore which risks need to be examined in supply chain management in different contexts;
- examine how supply chain criticalities and vulnerabilities can propagate;
- suggest how to intervene by presenting controls to prevent or at least limit the spread of critical issues;
- deepen the legal and contractual aspects.
The need for adequate risk management is also demonstrated by many cases of accidents due to errors, carelessness and lack of controls by subcontractors in the supply chain, the impacts of which then spread to the end customer, with even serious consequences for the business.
Various research and relevant examples of security incidents are then included, providing further useful insights.
Why this book?
The data of the Clusit 2021 Report on ICT security in Italy and in the world shows an increase in attacks conveyed by exploiting vulnerabilities in the supply chain, which allows cybercriminals to hit all the subjects involved in it (customers, other suppliers and third parties). Some emerging or recently consolidated dynamics highlighted in it are:- increased attack surface ;
- change in the strategies of cybercriminals through a simplification of attacks and an orientation towards the weak subjects of the supply chain;
- uneven investments in IT security , with large companies having tools, resources and knowledge, while SMEs, due to lack of budget, lack of training, awareness and sensitivity, remain poorly equipped;
- permanence of a cultural problem , where micro-enterprises and SMEs mistakenly believe they are not a target, consequently acquiring a level of security that is inadequate for the current context.
It therefore becomes essential for management to understand how the scenario described can affect one's own organization and what risks it is exposed to, considering all types of internal or outsourced ICT services.
The aim is not only to help customers understand what to ask their suppliers but also to help suppliers prepare to support possible (and increasingly probable) requests from their customers.
Who is it aimed at?
The top management of organizations (eg board members, CEOs and CFOs ) will certainly benefit from reading this book. In fact, they play a fundamental role in defining security and outsourcing strategies, they will be able to develop awareness on the subject and require adequate monitoring of the supply chain.The book will also be useful reading for other figures with more operational and supportive responsibilities to the top. For example, risk managers, CIOs, CISOs, DPOs and, in the public sector, digital transition managers, purchasing managers, project and product managers.
Reading this book does not assume in-depth previous skills: the reader will assume at least a sensitivity towards the critical processes of an organization and an attention to what is outsourced. (Source: https://supplychainsecurity.clusit.it/ )