• United States




Crossing the Narrow Sea: mitigating island hopping

Jul 24, 20173 mins
HackingRisk ManagementSecurity

Your supply chain is being invaded. It's time to discuss how best to manage risk to your supply chain and reputation in 2017.

Cyberspace of 2017 has become a free-fire zone with a multiplicity of actors. The dark-side of globalization resides in cyberspace. Corporations are regularly under siege from a multiplicity of threat actors. The cyber arms bazaar that flourishes around the world has allowed for criminals and nations to wage long term campaigns against corporations and government agencies. These cybercriminals stalk businesses and consumers from the fog of the dark web. Evidence suggests that the Dark Web has become an economy of scale wherein the cyber-crime syndicates have begun to target the interdependencies of our networks. 2017 has ushered in a foreboding era of digital colonization of American cyberspace.

As the cybercriminal community burrows in to our networks we must appreciate that after the initial theft of data they tend to hibernate. This hibernation allows for secondary schemes of monetization. Some of these criminal endeavors include reverse business email compromise against your customers and/or selective Wateringhole attacks. Cybercriminals realize that there is implicit trust in your brand; trust that can and will be exploited. The modus operandi of cybercriminals has been modernized and thus we should allow their offense to inform our defense. As we attend Blackhat, we must spin the chess board to realize the opportunities for strategic action.

In 2017, CSOs must enhance the scope and diligence of their supply chain security assessment. First, security strategies must encompass more than technology vendors. Law firms and marketing firms should be included in all annual security assessments. Second, any merger or acquisition must include a compromise assessment. Such a compromise assessment should include a penetration test from within your network to the outside world. Finally, service level agreements (SLAs) must be modernized to mitigate the cyber threats of 2017, therefore the rigor of the security controls required must encompass elements of intrusion suppression like the proactive use of deception grids and adaptive authentication.

Managing cyber exposures to your supply chain is a function of conducting business in 2017. Beyond mere compliance with existing standards corporations must protect their brand before it is hijacked. Supply chain risk management requires an architectural paradigm shift to intrusion suppression. Modernizing defense in depth will allow an organization to thwart the burgeoning digital invasion of their network. It is imperative that we reevaluate vendor relationships and institute increased safeguards and oversight as information supply chain risk is here to stay. Cybersecurity investment begets brand protection which in turn mitigates third-party risk. Those companies who embrace brand protection as a function of comparative advantage will become the titans of industry.


Tom Kellermann is a cyber-intelligence expert, author, professor and leader in the field of cybersecurity. Tom is the co-founder of Strategic Cyber Ventures and serves as a Global Fellow for the Wilson Center.

Having held a seat on the Commission on Cyber Security for the 44th President of the United States and serving as an advisor to the International Cyber Security Protection Alliance (ICSPA), he has worked in the highest levels of cybersecurity. He has applied his expertise in the corporate world, as Chief Cybersecurity Officer for Trend Micro Inc. where Tom was responsible for analysis of emerging cybersecurity threats and relevant defensive technologies.

Prior to Trend Micro, Tom served as the Vice President of Security for Core Security. Tom began his career as Senior Data Risk Management Specialist for the World Bank Treasury Security Team, where he was responsible for cyber-intelligence and security policy as he advised central banks around the world about their cyber-risk posture.

In addition to his professional work, Tom believes in sharing his knowledge to benefit others in order to combat cybercrime. Tom was a Professor at American University’s School of International Service and the Kogod School of Business, and he co-authored the book “E-safety and Soundness: Securing Finance in a New Age.” He regularly presents at global cybersecurity conferences and is a contributor on cyber analysis for major networks. Tom is a Certified Information Security Manager and is a Certified Ethical Hacker.

The opinions expressed in this blog are those of Tom Kellermann and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.