Before buying an old house, most people do a thorough home inspection to make sure that plumbing, heating, and electricity infrastructure is safe and stable. When purchasing a car for a new driver, many parents check the vehicle’s crash test rating. These actions are simply common sense due diligence since we want to make sure that our homes and children are safe.

Along the same line of reasoning, one would assume that critical infrastructure organizations (i.e., electric utilities, financial services, health care, food processing/agriculture, etc.) do the same type of due diligence on IT equipment and their IT vendors. After all, these IT systems are the underpinning of their services and thus the backbone of the critical infrastructure at large. One would assume that critical infrastructure organizations do this type of security due diligence, but unfortunately this is usually not true.

According to the new ESG Research Report, “Assessing Cyber Supply Chain Security Within the US Critical Infrastructure” (the report is available for free download at www.enterprisestrategygroup.com), IT product and vendor security audits are performed in a random and haphazard fashion. For example:

1. Only 31% of the critical infrastructure organizations surveyed always audit the security processes of their strategic software vendors (i.e., business applications, productivity applications, databases, operating systems, etc.). As bad as this is, even fewer organizations always audit their strategic infrastructure vendors (i.e., servers, storage, networking, security devices, etc.), professional services vendors, or VARS/distributors.
2. When critical infrastructure organizations do conduct security audits, the audits tend to vary by vendor. Only 33% say that “all vendor security audits follow the same standard processes and procedures.” This means that some vendors get put through the proverbial grinder while others get a superficial inspection.
3. In many cases, vendor audits seem to be a “check box” activity rather than a true security requirement. Forty-seven percent of critical organizations say that they “prioritize vendors that achieve a desired security profile but still may buy from other vendors.” In other words, a secure product/vendor may be pushed aside and substituted with an insecure alternative.

Why are many vendors getting a security free pass? I’m not sure. It may be that vendor and product security was no big deal in the past when cyber security was composed of network firewalls and desktop antivirus software. It could be that vendors wow their customers with speeds, feeds, and functionality to keep them from digging into geeky security issues. Perhaps they schmooze customers with sporting event tickets and golf outings to take their minds off of product security.

In any case, this behavior should be unacceptable henceforth. The threat landscape is getting more and more sophisticated each day, so each product’s security must stand out on its own.

Note to critical infrastructure organizations: Many IT vendors virtually ignore security in their product design and development. You should be doing a heck of a lot more security due diligence on IT products, vendors, and services, and institute procurement rules that mandate specific security metrics. Vendors should no longer have security–or insecurity–carte blanche.

Related posts:

1. Critical Infrastructure Organizations Want Cyber Security Help From the Government
2. Corporate Executives Remain Lukewarm on Cyber Security
3. New ESG Research Report Points To Security Vulnerabilities In the US Critical Infrastructure
4. WikiLeaks, Critical Infrastructure, and Cyber Security
5. Are Critical Infrastructure Organizations Unaware of Security Incidents?

Tags: Barack Obama, CIP, Critical Infrastructure Protection, cyber security, cyber supply chain, Cyber supply chain assurance, cyber supply chain security, DHS, DOD, Enterprise Strategy Group, ESG, Howard Schmidt