Cybersecurity / Risk Management

The Supply Chain shouldn’t be zero-trust

I get it for network architecture.  I get it for strong authentication.  I get it for making sure I am not a robot (not, by the way).  But I have to trust my partners.
So when it comes to third party risk management, I refuse to accept that my relationships begin with the assumption that all my third parties are tools of the hackers until proven otherwise.

Risk assessment of third parties has to be a conversation with my third parties, not an interrogation.  And, certainly I understand that most relationships are asymmetrical.  Maybe they’re bigger than me and can just post their certifications and never answer my questions.  Maybe they’re really small and will never have a CISO; hell they may not even be big enough to have a full time IT staff.

But the “zero trust/remember Target’s HVAC vendor/weakest link” conversation removes Security from the business and that carries with it its own risks.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.