Despite what security vendors might say, there is no way to comprehensively solve our supply-chain security challenges, posits JupiterOne CISO Sounil Yu. We can only manage them.
In the late 19th century, many large cities faced an unpleasant predicament due to too much horse manure piling up in the streets. Aside from the direct impact of the odors and unsightly excrement, it indirectly poisoned the water supply and accelerated the spread of disease.
There were some ways to mitigate the buildup with shovels and wheelbarrows. Still, the accelerating accumulation of manure from carriage horses was not entirely solvable through the existing technology and methods. Until the introduction of motorized vehicles, cities could not solve this predicament. At best, they could only manage it.
This is more or less the situation we face with the state of supply-chain security today. Declaring supply-chain security to be a problem suggests that there exists a solution. But supply-chain security is not a problem because there are no simple solutions or checklists. There aren’t even complicated solutions.
Rather, it’s a complex and chaotic predicament that today can only be managed. This is not simply a semantic difference. Drawing this distinction allows us to better categorize the challenges we face, to make better decisions and avoid frustration stemming from applying the wrong approach to a given challenge.
If supply-chain security were simply a problem, then a solution should be attainable within our grasp. However, despite what security vendors might say, we lack a solution that can comprehensively solve our supply-chain security challenges.
Having the Wisdom to Know the Difference
As security professionals, we should take the “Serenity Prayer” to heart:
“God grant me the serenity to accept the things I cannot change,
courage to change the things I can,
and wisdom to know the difference.”
This simple prayer reflects the difficulty that we may have in discerning the difference between security problems and predicaments. Not having the wisdom to know the difference can lead to frustration in untangling a predicament that cannot be substantively changed; and it will lead to wasted management attention.
Different Tools for Different Challenges
Not knowing the difference can also lead to the wrong choice of tools, or faulty expectations from the right tools. The implementation tools that we use to tackle problems are distinctly different from the decision-support tools that we use to manage our predicaments.
The difference is summed up well by taking a different spin on an adage coined by John Lambert: “Defenders think in lists. Attackers think in graphs. As long as this is true, attackers win.”
When we talk about addressing basic hygiene and compliance, these are solved problems and the solutions can be codified as lists. Problem-solving tools should be able to easily check these lists and confirm that common flaws are addressed. But when it comes to a predicament such as supply-chain security, simple suggestions to do the basics or rely upon long questionnaires are wholly inadequate. Our supply-chain risks do not simply go away after we receive a completed questionnaire.
Predicaments often arise from the complex interaction of interdependent components that are nearly impossible to untangle. There is not a single cause to a predicament and as such, no single solution. Similarly, our supply chains are heavily intertwined. There is no easy way to “fix” our dependency on outside suppliers while remaining competitive in the marketplace. This dependency creates an ongoing risk factor, or the predicament, that can only be managed until a whole new class of technology or processes can displace how we operate our supply chains today.
Mapping out the interdependencies among our suppliers and key assets helps us to understand our exposure and mitigate potential impact. This graph won’t solve our supply-chain problem, but thinking in graphs allows us to understand and manage this risk. For example, a software bill of materials (SBOM) does not make our software supply-chain security issues go away. However, they are incredibly helpful when it comes to understanding our dependencies and managing the risks associated with the predicament that we find ourselves in.
In cybersecurity, we often struggle in knowing or articulating when we are “done.” Separating our problems from predicaments can help. When it comes to problems, we are done when we are compliant with the latest best practices and standards (a difficult but achievable moving target goal). But when it comes to predicaments like supply-chain security, let’s have the serenity to know that we will be shoveling horse manure for a long time.
Sounil Yu is CISO and head of research at JupiterOne.
Enjoy additional insights from Threatpost’s Infosec Insiders community by visiting our microsite.