Think of a software bill of materials (SBOM) or hardware bill of materials (HBOM) as a list of...
Combatting the Inherent Vulnerabilities of Software & Hardware Purchases
In light of an increasing number of data breaches within federal agencies, the defense industrial base, and operators of critical U.S. infrastructure, the federal government is making a concerted effort to improve and enforce cyber security standards across federal agencies and organizations that work with and support government operations.
Yet many organizations remain unsure of how to incorporate cyber solutions into their business, how much of their budget and where to invest, and what the impact on their business will be.
3 Concerns to Address When Purchasing Software or Hardware
Andrea Schaumann, Director of Federal Partnerships and Programs at Fortress, shares three distinct and overlapping concerns addressing the vulnerabilities inherent in hardware and software acquisition and how organizations should consider and respond to those concerns.
1. Technology Concerns With Legacy Systems
Do you want to invest the time, effort, and money to upgrade them or acquire new assets? How do you evaluate the hardware and software components of your equipment to gain transparency into your supply chain and determine potential vulnerabilities? (This is where hardware and software bills of materials — HBOM and SBOM — come into play.)
What are the threats (e.g., corruption, data theft, malware, etc.) that your business is likely to face? And what are the controls that you need to adopt to secure your potential attack vectors against those threats?
2. Operational Concerns with Maintaining Daily Operations
You have to consider the interruptions acquisitions may cause when it comes to maintaining your organization’s daily operations and continuing to deliver value to your customers.
“The primary concern here is that over-hardening may interfere with delivery,” Schaumann said. “At what point have you created so many safeguards that you’ve actually created speedbumps to productivity? What’s a failsafe versus a redundancy?”
3. Business Concerns
How do you keep revenue flowing and protect your reputation with your client base? How do you get organizational leadership to understand that cyber risk is not an afterthought, but a primary part of your overall enterprise risk analysis?
“If you’re not in compliance, that’s going to interfere with the ability to generate new or modify any existing government contracts,” Schaumann said.
Solutions to Acquisition Concerns
Each of these concerns must be addressed at the C-suite level to ensure the solution fits the needs of your unique organization and business goals and that they are enforced and supported by leadership.
Schaumann offers the following advice for each area of concern.
- Determine whether it’s time to modernize or replace legacy systems. “You can only issue so many change orders on a single asset and update it with changing technology before you’ve created too many vulnerabilities for it to make sense for you and your operation,” said Schaumann.
- Commit to being an early adopter of cyber controls, rather than waiting until your only option is to be reactive.
- Understand the impact on your systems if you do fall victim to a data breach or malware attack.
- Evaluate the components of your devices early before there’s an issue.
- Implement cyber hygiene best practices and controls.
- Determine the core values and mission of your organization and prioritize those values in your decision-making. What value are you delivering to your customer?
- Leveraging public and private partnerships. Talk honestly to the experts about your business and cyber needs and learn how to improve your cyber program.
- Determine what could go wrong without drastically impacting that ability to deliver. What could you do without and what do you absolutely have to maintain to keep the business running?
- “Enforce best practices within your organization. Implementing controls and developing policies is not enough. We often assume that our colleagues understand what their responsibilities are in terms of cyber hygiene and that they are doing exactly what they’re supposed to do and that they really understand the items that fall squarely in their area of responsibility,” Schaumann said.
“The business solutions are sometimes the most difficult to approach because you need to validate controls and have voluntary adoption of best practices, which is really about getting leadership buy-in,” said Schaumann. “A lot of that hinges on education so that they’re there to back up their team and they’re starting to ask for budget and additional support.”
If the key stakeholders don’t identify what a good cyber program looks like for their specific organizational goals and needs, then anything that can be acquired quickly and cheaply might look good just because it’s a solution. But it might not be the holistic solution that they need to protect their business.
Click here to listen to more of Andrea Schaumann on the Defense and Aerospace Report Cyber Podcast. The above is just some of her key takeaways.
Cyber Solutions That Protect Your Critical Assets
Fortress Information Security secures critical infrastructure from cybersecurity risks with asset and vendor risk management solutions. Fortress is the only company that connects IT & OT assets and vendors with a holistic approach.
Fortress specializes in critical infrastructure-heavy sectors, like electric power utilities, oil and gas, government, industrial automation, healthcare, transportation, and more.
Schedule a demo to learn more about how Fortress works to identify and manage supply chain risks, continuously monitor, and share data.