From: Network World

By joltsik Created Mar 8 2011 – 11:17am

I gave a presentation on cyber supply chain security at a Mitre Software Assurance conference last week. One of the things I highlighted was that many organizations are not doing an adequate level of security due diligence on their IT vendors. This fact is clearly illustrated in a few ESG Research data points from the recent report, “Assessing Cyber Supply Chain Security Vulnerabilities Within the US Critical Infrastructure:” (note: this report is available for free download at [1])

1. Only 31% of critical infrastructure organizations always audit the security processes and procedures of their strategic software vendors. Outside of software, only 30% always audit the security processes and procedures of their strategic infrastructure vendors (i.e. servers, storage, networking, etc.).

2. When auditing their IT vendors, only 33% of critical infrastructure organizations follow a standard audit process. Other audits are done on an ad-hoc basis.

3. While almost half of the critical infrastructure organizations say that vendor security audits have a “significant impact” on their purchasing decisions, 47% say that vendor security audits have only “some impact” on procurement. In other words, they may still buy from a vendor that failed a security audit.

Taken together, a vast minority of IT vendors face standard security audits of their security processes and procedures, where the results of these audits determine whether they are fit to provide critical infrastructure organizations with IT equipment. This means that most IT vendors get a security “free pass” in one way or another. Keep in mind that we are talking about IT equipment keeps our lights on, safeguards our money, or supplies us with food.

The reason why this is so frightening is that left to their own devices, many IT vendors tend to focus on developing new features and functionality rather than invest in security processes and procedures or focus on developing secure hardware and software. Yes, you can do both. For example, HP and IBM both have internal security standards for all products. I know I’ll get flamed for saying this but Microsoft is also a leader here with its Security Development Lifecycle (SDL). That said, many vendors either cut corners or have no real security design or testing processes at all. Others have “opt-in” programs where one product line follows strict security best practices while others eschew them completely.

Insecure IT products in the critical infrastructure leave us completely vulnerable to some type of cyber attack that could disrupt our economy — and our lives — for some period of time. I’m talking about no electricity, gasoline, telecommunications, etc. for some extended timeframe.

To minimize the risk of a massive economic disruption, one of two things must happen:

1. The market responds. Imagine that next Monday, March 14, every enterprise CIOs told their IT vendors in no uncertain terms that they would not buy their hardware or software they met certain security requirements by December 31, 2011. I guarantee that this would change the industry overnight.

2. Legislators respond. If #1 does not take place AND the US or other major economy is hit with a devastating cyber attack, it is likely that congress with feel compelled to step in with some type of legislation on minimal IT security standards. This will be a messy situation involving lobbyists, lawyers, technologists, and elected officials.

The IT industry is not altruistic so most vendors will only enhance their security processes and procedures if they are forced to do so. I hope that demand-side requirements drive this change before regulators feel like they have to step in to protect our national interests. Of course, IT vendors could be responsible citizens and take this upon themselves. Some already have, but I’m not holding out much hope for those who have not.