A cloud-based security company is touting a strategy for mitigating supply-chain risks in the defense industry as yielding a “de facto standard,” which could be applied across other sectors and motivate other solutions to cybersecurity challenges.
“This was arrived at with the help of six large defense companies, so it's kind of a de facto standard. If I'm a supplier in the aerospace defense industry I'm probably dealing with one of the six, so it makes my job easier to say, if I fix this, it's applicable to all of them,” Vijay Takanti, senior vice president of Exostar, said in an interview with Inside Cybersecurity.
Exostar has developed a questionnaire -- with buy-in and agreement from major defense contractors like Lockheed and Northrup Grumman -- which probes potential third-party suppliers to assess their cyber risk and offer ways to address them. Takanti recently presented the system during an interagency forum seeking best practices for managing supply-chain risks, an issue that has persisted, especially in light of resource challenges specific to smaller businesses.
“Suppliers are struggling to understand where to invest their limited budgets so what was designed in the aerospace industry is a cyber risk function which tracks suppliers, so we know if the supplier has maturity, and can provide the suppliers a sort of priority list so they can build their own road map to actually implementing those security controls,” Takanti said.
Other panelists at the cyber forum spoke on the importance of “soft skills” needed to collaborate with the supplier, and noted the importance of being "charming" to understand the risks, according to Takanti, “because you're asking for information that's not easy to obtain and people are reluctant to share."
Exostar, whose board of directors includes a representative from the pharmaceutical company Merck, is already working with partners in the healthcare space and sees the same tools scaling to address supply-chain challenges in that and other industries.
The company’s efforts are offered as the defense industry seeks to comply with a number of Defense Federal Acquisition Regulation Supplements and as industry in general searches for ways to overcome cybersecurity risks presented by the supply chain.
“In general this sounds like one of many of the types of ideas that are increasingly getting traction,” said a former government official long involved in cybersecurity policy. “There is a tremendous amount of business and government interest in finding efficient ways to address this challenge, so that means there will be lots of investment in lots of ideas. That's good for security, as it will create a race to the top in terms of efficient ways to secure the supply chain.” -- Mariam Baksh (firstname.lastname@example.org)