With today's enterprises being digital ecosystems made up of many layers of vendors, a vulnerability in one becomes potentially a vulnerability in all. A new initiative by the Cyber Readiness Institute aims to address this by promoting to smaller enterprises the cybersecurity best practices used by Fortune 500 companies.
Microsoft, Mastercard, Exxon Mobil and A.P. Moller-Maersk are working with the not-for-profit CRI to help the companies they work with better secure their systems. This includes disseminating guidance recommending the use of passwords that take the form of phrases, administering security updates and providing advice on how to create a policy to ensure that outside USB devices have been approved by the IT team.
As a former CISO with significant insight into third-party risk, Kelly White, founder and CEO of RiskRecon, offers commentary on the initiative in an interview with Information Security Media Group.
"It's not uncommon for companies to have 100 or even 1,000 vendors that they are interconnected with digitally," White says. "That third-party cyber risk is significant to organizations because a breach in one of the third parties can represent a breach in your own enterprise."
White considers the core focus areas of the initiative as practical steps for ensuring that cybersecurity fundamentals for third parties are executed. "We have good cybersecurity standards, but they're standards, not practices and there's a big gap between translating a standard into practices that you implement and operate in your firm," Kelly says. "This is the gap that this initiative intends to plug."
In this interview (see audio link below photo), White also discusses:
- Whether the initiative sufficiently targets cyber risk today;
- How third-party risk will be addressed;
- Threat vectors that all companies should be focusing on.
White is the CEO and co-founder of RiskRecon. He previously held various enterprise security roles, including CISO and director of information security for financial services companies.