In episode forty-one of The Business of Security podcast, Josh Bruyning and Chad Boeckmann talk to Marcus Bartram from Telstra Ventures, a San Francisco-based VC firm that invests in mid-stage tech companies. According to Bartram, due to the changing IT architecture, cybercriminals are having an easier time breaking into companies, stealing data, and causing overall problems. It raises the question, “how do I solve a problem that didn’t exist yesterday that exists today?”
Now that cybercriminals know how to attack corporations through the supply chain, newer cyber companies have taken lead and stepped into the software supply chain spotlight. These companies are taking questions like, “how do I identify all the dependencies I have in my open-source software program, and what sort of attribution do I bring to each of those dependencies?” and “What does this tell me about the threat that I face through development and what do we do about it?” and creating tools that ultimately help answer these questions and keep other corporations safe from attacks.
With the software supply chain issue, third-party risk management also comes into question. According to Chad Boeckmann, this is a frustrating topic for many security professionals today because they feel that if they can do assessments, they can also do third-party external scanning of these vendors. To CISOs, this feels like they’re still just checking compliance boxes and not moving the needle to help create continuous improvement with their suppliers. This problem is seemingly not going away anytime soon, so what tools or strategies are rising to change the game around accountability and process improvement within the supply chain sector?
According to Bartram, third-party supply assessments were the job of email and spreadsheets and a dedicated team of people who hammered away at their company suppliers to get things done. This process has evolved in the creation of tools that attempt to form a more informed view of risk to third-party suppliers which was clearly depicted with the rise of the security scorecard. One company created a collaboration tool that can monitor and engage the supplier base in a conversation with the security team who can then see how the suppliers are improving their posture over time.
The supply chain sector and third-party risk management are areas that new companies are starting to address with innovative tools and thinking that investors are noticing. Interested in learning more? Check out the full episode, Investing in Supply Chain Solutions with Marcus Bartram HERE.