Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
nori
Viewer
Saturday
Saturday

Who should lead the supply chain security initiative?

Hi There !

 

In conversations with corporate security leaders,

many of them say they would like to advance supply chain security measures.


Specifically, they are considering allocating a budget for activities.

(For example call on their contractors to set up organizations CSIRT.)

 

Naturally, contractors do not rely solely on orders from one company, so they will receive similar requests from multiple business partners.

 

Companies that first request a contractor to serve as a CSIRT will have to spend a lot of time transferring knowledge to the contractor, while companies that hire the contractor later will incur lower costs.


I wonder whether it would be a good idea or not to advise them,

"If you're keep costs down, Don’t touch the supply chain. wait for other company done."


Is this a good idea?

I want to hear everyone's opinions!!

 

thank you.

 

Reply
0 Kudos
3 Replies
nkeaton
Contributor III
Saturday
Saturday

I believe that it takes a joint effort, but often those in cybersecurity and/or IT have to start the conversations and initiatives. While all stakeholders need to be involved, we first need leadership approval and support. In acquisition definitely need the contracting and legal teams involved. Contractors should never do anything that is not specifically detailed in the contract. If there is a contract and a SLA, they must match, but the contract is often the most legally binding document. If it is not in writing, it is not going to happen. NIST documents are a good no cost source for much of this.
Reply
akkem
Newcomer III
Saturday
Saturday

Cost is a key factor in decision-making, but compromising security can harm reputation. Every organization's leadership should establish benchmarks and standards to balance both security and cost effectively.

Reply
dcontesti
Community Champion
Saturday
Saturday

Contrators my design your CSIRT but I would never recommend that they run it.  

 

IMHOO the members of the CSIRT should be in house staff (legal, HR, PR, IT, Security (IT and Physical), etc.)

 

A contractor may be able to best design it but only run it if they are actively part of staff.

 

Please check out this thread

 

https://community.isc2.org/t5/Tech-Talk/Platforms-for-Crisis-Communication-amp-Emergency-Documentati...

 

Regards

 

d

 

Reply