attentionstealthy

WhitePaperVMwareandtheNeedforCyberSupplyChainSecurityAssuranceByJonOltsik,SeniorPrincipalAnalystSeptember2015ThisESGWhitePaperwascommissionedbyVMwareandisdistributedunderlicensefromESG.
2015byTheEnterpriseStrategyGroup,Inc.
AllRightsReserved.
WhitePaper:VMwareandtheNeedforCyberSupplyChainSecurityAssurance22015byTheEnterpriseStrategyGroup,Inc.
AllRightsReserved.
ContentsExecutiveSummary3CyberSupplyChainSecurityRealities3CyberSupplyChainSecurityCanBeDifficult4CISOsareBolsteringCyberSupplyChainSecurityOversight.
5CyberSupplyChainSecurityAssurance.
7TheVMwareTrust&AssuranceFramework.
8TheBiggerTruth10Alltrademarknamesarepropertyoftheirrespectivecompanies.
InformationcontainedinthispublicationhasbeenobtainedbysourcesTheEnterpriseStrategyGroup(ESG)considerstobereliablebutisnotwarrantedbyESG.
ThispublicationmaycontainopinionsofESG,whicharesubjecttochangefromtimetotime.
ThispublicationiscopyrightedbyTheEnterpriseStrategyGroup,Inc.
Anyreproductionorredistributionofthispublication,inwholeorinpart,whetherinhard-copyformat,electronically,orotherwisetopersonsnotauthorizedtoreceiveit,withouttheexpressconsentofTheEnterpriseStrategyGroup,Inc.
,isinviolationofU.
S.
copyrightlawandwillbesubjecttoanactionforcivildamagesand,ifapplicable,criminalprosecution.
Shouldyouhaveanyquestions,pleasecontactESGClientRelationsat508.
482.
0188.
WhitePaper:VMwareandtheNeedforCyberSupplyChainSecurityAssurance32015byTheEnterpriseStrategyGroup,Inc.
AllRightsReserved.
ExecutiveSummaryThecommonsaying,"mayyouliveininterestingtimes"isactuallytheEnglishtranslationofatraditionalChinesecurse.
ThisrealityissomewhatironicasCISOsandcybersecurityprofessionalswouldlikelyagreethattheyindeedliveinaveryinterestingbutdifficulttime.
WhyCyberthreatshavebecomemoreubiquitous,stealthy,andtargetedwhiletheITattacksurfacecontinuestoexpand,drivenbycloudcomputing,InternetofThings(IoT)initiatives,andmobileapplicationuse.
EnterpriseorganizationsnowrealizethatweliveinauniquetimeofincreasingITriskandarerespondingaccordingly.
Corporateexecutivesandboardsareparticipatingmoreintheirorganizations'cybersecuritystrategiestomitigatebusinessandtechnologyrisk.
Manyfirmshaveincreasedcybersecuritybudgetsaswellandarenowpurchasinganddeployingapotpourriofnewsecurityanalyticssystemsandlayersofdefense.
Allofthisactivityisastepintherightdirection—butitisjustnotenough.
VMwarehasintroducedanewinitiativecalled"VMwareTrustandAssurance,"whichhelpsanswercustomers'questionsaboutVMware'ssecurityanddevelopmentpracticesandprovidesgreatertransparencyaroundhowitdevelops,builds,secures,andsupportsitsapplications.
Thiswhitepaperconcludes:Organizationsareexposedtovulnerabilitiesinthecybersupplychain.
Thecybersupplychainintroducestheriskthataproductorservicecouldbecompromisedbyvulnerabilitiesand/ormaliciouscodeintroducedadvertentlyorinadvertentlyduringproductdevelopmentormaintenance,dueinparttoincreasingglobalizationoftheITsupplychain.
Consequently,ITproductsandservicesbuiltonafoundationofbroaddiversecybersupplychainsmayincreasetheriskofadevastatingcyber-attacktocustomers.
ITrisksarenotlimitedtocorporateLANs,WANs,anddatacenters.
Rather,enterprisesremainatriskforcyber-attacksthattakeadvantageofvulnerabilitiesexistinginITequipment,businesspartnernetworks,non-employeedevices,etc.
Asthesayinggoes,"thecybersecuritychainisonlyasstrongasitsweakestlink.
"Regrettably,muchofthecybersecuritychainresidesoutsidetheperimeterfirewallandthusneedsproperoversight,cybersecuritybestpractices,andamplelayersofdefense.
CISOsarepushingbackonITvendors.
PragmaticcybersecurityprofessionalsnowrealizethattheirstrategicITvendorscanmakeorbreakthecybersecuritychain.
Intheworstcase,insecurepartnersorITsystemscanbeusedasastaginggroundforadevastatingdatabreach.
Tominimizerisk,manyenterpriseorganizationsareaddressingcybersupplychainsecuritybyauditingITvendors'securityprocessesandmakingpurchasingdecisionsbaseduponavendor'sabilitytomeetincreasinglyrigorouscybersecurityrequirements.
ITvendorsmustdevelopcybersupplychainsecurityassurancecapabilities;TheVMwareTrustandAssuranceFrameworkservesasamodelfortheindustry.
Enterprisecybersecurityrequirementswillcontinuetobecomemorerigidinthefuture.
Asthissituationevolves,CISOswillonlydobusinesswithtrustedITvendorswithdemonstrablecybersupplychainsecurityassuranceprogramsthatincludeallaspectsoftheirproductdevelopment,testing,distribution,deployment,customization,andsupport.
VMware'sTrust&Assuranceinitiativeservesasamodelofthetransparencyneededforcybersupplychainsecurityfortheindustry.
CISOsshoulddemandasimilarresponsefromallstrategicITvendors.
CyberSupplyChainSecurityRealitiesOrganizationslargeandsmallarechangingtheirbehaviorwithregardstocybersecurityinresponsetotheincreasinglydangerousthreatlandscapeandhighly-publicizeddatabreaches.
Infact,manyorganizationsnolongerconsidercybersecurityanITissuealone.
Alternatively,cybersecurityriskisnowabusinessprioritythatgetsampleattentionwithbusinessexecutivesandcorporateboards.
AccordingtoESGresearch:WhitePaper:VMwareandtheNeedforCyberSupplyChainSecurityAssurance42015byTheEnterpriseStrategyGroup,Inc.
AllRightsReserved.
Whenaskedtoidentifythebiggestdriverfortechnologyspendingoverthenext12months,46%oforganizationspointedtosecurityandriskmanagementinitiatives.
Thiswasthemostpopularresponse,quiteabithigherthanthesecondmostpopularanswer,"costreductioninitiatives,"whichcameinat37%.
Justoverone-thirdoforganizations(34%)saythatInformationsecurityinitiativesarethemostimportantITprioritythisyear.
Onceagain,thiswasthetopresponse.
59%oforganizationssaidthattheirITsecuritybudgetsfor2015wouldincreasewhileonly9%saidtheywoulddecreaseinfosecbudgetsthisyear.
1Increasingfocusoncybersecurityhasresultedinlotsofactivity,asmanyorganizationsaddlayersofdefensetotheirnetworks,implementnewsolutionsforincidentdetectionandresponse,andbolstersecuritymonitoringandanalyticsefforts.
TheseinternaleffortsareagoodstartbutagrowingnumberofCISOsrealizethatcybersecurityriskextendsbeyondtheLAN,WAN,andcorporatedatacenterstoalargerpopulationofcustomers,suppliers,andbusinesspartners.
Thislargercybersecurityuniverseissometimesreferredtoasthecybersupplychain,whichESGdefinesas:"Theentiresetofkeyactorsinvolvedwith/usingcyberinfrastructure:systemend-users,policymakers,acquisitionspecialists,systemintegrators,networkproviders,andsoftwarehardwaresuppliers.
Theseusers/providers'organizationalandprocess-levelinteractionstoplan,build,manage,maintain,anddefendcyberinfrastructure.
"Cybersupplychainsecurityissuesarenotuncommon.
Forexample:In2008,theFBIseized$76millionofcounterfeitCiscoequipment.
AspartoftheStuxnetincidentin2010,fivecompaniesactingascontractorsfortheIraniannuclearprogramhadtheirnetworkscompromisedinordertogaintrustedaccesstogovernmentnuclearfacilities.
Thesuccessful2013databreachatTargetCorporationwaseventuallytracedtosystemcompromisesatFazioBrothers,oneofTarget'sHVACcontractors.
HackersusedFazioBrothersasastaginggroundandusedthecompany'snetworkaccessasanattackvector.
CyberSupplyChainSecurityCanBeDifficultSomeCISOsrecognizetherisksassociatedwiththeircybersupplychainsecurityandthisisespeciallytruefororganizationsthatdependuponarmiesofexternalbusinesspartners,contractors,orsuppliersaspartoftheirbusinessoperations.
Unfortunately,cybersupplychainsecuritybestpracticesaren'teasyastheyrequireconstantoversightofthestateofcybersecurityrelatedtoITequipmentproviders,softwarevendors,connectedbusinesspartners,etc.
Infact,cybersupplychainsecurityseemstobegrowingincreasinglyproblematicforsomefirms.
InarecentESGresearchsurveyofcriticalinfrastructuresectororganizations(i.
e.
,chemicalsector,emergencyservices,energysector,financialservices,healthcare,telecommunications,etc.
),40%ofcybersecurityprofessionalsadmittedthatcybersupplychainsecurityhasbecomemoredifficultoverthepastfewyears,andthosewhodidsuppliednumerousreasonsforthatincreaseddifficulty(seeFigure1):44%ofcriticalinfrastructuresectororganizationssaythattheirorganizationhasimplementednewtypesofITinitiatives,increasingthecybersupplychainattacksurface.
TheseinitiativesincludeBYOD,cloudcomputing,InternetofThings(IoT)projects,andthegrowinguseofmobileapplicationsanddevices.
39%ofcriticalinfrastructuresectororganizationssaytheirorganizationhasmoresuppliersthanitdidtwoyearsago.
Thisistobeexpected,giventhewaveofITinnovationaroundsoftware-defineddatacenters,cloudplatforms,virtualnetworks,etc.
36%ofcriticalinfrastructuresectororganizationssaythattheirorganizationhasconsolidatedITandoperationaltechnology(OT),increasingthecomplexityofcybersupplychainsecurity.
Inthesecases,CISOs1Source:ESGResearchReport,2015ITSpendingIntentionsSurvey,February2015.
WhitePaper:VMwareandtheNeedforCyberSupplyChainSecurityAssurance52015byTheEnterpriseStrategyGroup,Inc.
AllRightsReserved.
areforcedtosecurebusiness-criticalbutunfamiliartechnologieslikeprogrammablelogiccontrollers(PLCs)andsupervisorycontrolanddataacquisition(SCADA)systemsusedforindustrialoperations.
2Figure1.
ReasonsWhyCyberSupplyChainSecurityHasBecomeMoreDifficultSource:EnterpriseStrategyGroup,2015.
AsidefromtheassortmentofissuesdescribedinFigure1,CISOsoftenvoiceotherconcernstoESG.
Forexample,manysecurityexecutivesareanxiousaboutthegrowinguseofopensourcecomponents(andvulnerabilities)aspartofcommercialsoftware(i.
e.
,Heartbleed,OpenSSL,Shellshock,etc.
).
CISOsalsoworryaboutthingslikerogueinsidersworkingforITsuppliersanddataprivacyrelatedtosensitiveinformationmovedtothecloudbyITvendorsandbusinesspartners.
Dataprivacyandcybersupplychainsecurityissuescanalsobeasourceconcerndrivenbyglobal"follow-the-sun"developmentpracticesandcloudarchitectures,aswellasemergingregulationsliketheEUDigitalSingleMarketinitiative.
CISOsareBolsteringCyberSupplyChainSecurityOversightAscybersecuritymorphsfromatechnologytoabusinessissue,CEOsandcorporateboardsaregainingabetterperspectiveofcybersupplychainsecurityrisks.
Thisisdrivingachainreaction—businessexecutivesarepushingCISOstomitigatecybersupplychainrisk,causingcybersecurityexecutivesandpurchasingmanagerstoplacemorestringentcybersecurityrequirementsontheirITvendors.
2Source:ESGResearchReport,CyberSupplyChainSecurityRevisited,September2015.
AllESGresearchreferencesandchartsinthiswhitepaperhavebeentakenfromthisresearchreportunlessotherwisenoted.
34%34%36%39%44%0%5%10%15%20%25%30%35%40%45%50%MyorganizationhassourcedITproducts,components,andservicesfromothercountriesoverthepastfewyearsandthesechangesmaybeincreasingcybersupplychainsecurityriskMyorganizationhasincreasedthenumberofexternalthird-partieswithaccesstoourinternalITassetswhichhasincreasedthecybersupplychainattacksurfaceMyorganizationhasconsolidatedITandoperationaltechnologysecuritywhichhasincreasedthecomplexityofcybersupplychainsecurityMyorganizationhasmoresuppliersthanitdidafewyearsagoMyorganizationhasimplementednewtypesofITinitiativeswhichhasincreasedthecybersupplychainattacksurfaceYouindicatedthatcybersupplychainsecurityhasbecomemoredifficultatyourorganizationoverthepastfewyears.
Whydoyoubelievethatthisisthecase(Percentofrespondents,N=180,multipleresponsesaccepted)WhitePaper:VMwareandtheNeedforCyberSupplyChainSecurityAssurance62015byTheEnterpriseStrategyGroup,Inc.
AllRightsReserved.
ESGresearchillustratesthistrendwithanextensivearrayofsecurityconsiderationsforITvendorsascriticalinfrastructuresectororganizationsevaluateandpurchaseITproductsandservices.
Forexample,35%examineavendor'sexperienceandtrackrecordrelatedtosecurityvulnerabilitiesandsoftwarepatches,35%lookatavendor'soverallsecurityexpertiseandreputation,and32%contemplateavendor'sreputationandindustryexpertise(seeFigure2).
Figure2.
CybersecurityEvaluationConsiderationsforITPurchasingofProductsandServicesSource:EnterpriseStrategyGroup,2015.
TofurtherappraiseITvendorsecurity,manyorganizationsarealsoadoptingaformalcybersecurityauditprocessaspartoftheirITprocurementprocess.
Forexample,91%ofcriticalinfrastructuresectororganizationsauditthecybersecurityoftheirstrategicsoftwarevendors(i.
e.
,alwaysconductauditsordosoonanas-neededbasis),90%auditthecybersecurityoftheircloudserviceproviders,and88%auditthecybersecurityoftheirstrategicITinfrastructurevendors.
9%14%17%18%20%22%24%29%31%32%35%35%0%10%20%30%40%Locationofvendor'scorporateheadquartersLocationofvendor'sproductdevelopmentand/ormanufacturingoperationsVendor'suseofthird-partiesaspartofitsoverallproductdevelopment,manufacturing,testing,andmaintenanceVendor'sformalanddocumentedsecureproductdevelopmentprocessesVendor'sISOcertificationSecuritybreachesofvendororganizationVendor'semergencyresponse/problemescalationproceduresVendor'sprofessionalservicesofferingsforsecureITproductassessment,planning,anddeploymentVendor'sreputationandexpertiseinourindustryVendor'scybersupplychainriskmanagementprocessesVendor'soverallsecurityexpertise/reputationVendor'sexperienceandtrackrecordrelatedtosecurityvulnerabilitiesandsubsequentfixesofitsproductsThefollowingisalistofsecurityconsiderationsanorganizationmayevaluatebeforepurchasingITproductsandservices.
Whichofthefollowingconsiderationsaremostimportanttoyourorganizationduringtheproductevaluationandpurchaseprocess(Percentofrespondents,N=303,threeresponsesacceptedperrespondent)WhitePaper:VMwareandtheNeedforCyberSupplyChainSecurityAssurance72015byTheEnterpriseStrategyGroup,Inc.
AllRightsReserved.
Theseauditsarebecomingincreasinglycomprehensive.
AsESGresearchillustrates,ITvendorcybersecurityauditsincludethingslikehandsonreviewsofavendor'ssecurityhistory,reviewsofavendor'ssecuritydocumentation,processes,andmetrics,andreviewsofvendors'owninternalITandcomplianceaudits(seeFigure3).
Figure3.
MechanismsUsedInITVendorAuditsSource:EnterpriseStrategyGroup,2015.
CyberSupplyChainSecurityAssuranceTheESGresearchpresentsaclearpicture—high-securityenterpriseorganizationsareincreasinglydemandinggreatercybersecuritybestpracticesfromtheirstrategicITvendors.
Furthermore,vendors'cybersecuritypolicies,processes,andmetricsarebecomingadeterminingfactorforITprocurementasadvancedorganizationsarenowselectingstrategicITvendorsbaseduponanewstandard,cybersupplychainsecurityassurance,definedas:28%30%40%42%44%49%51%52%54%0%10%20%30%40%50%60%SendvendorastandardlistofquestionsonpaperandthenreviewtheirresponsesOn-siteinspection(s)ofvendor'sfacilitiesReviewanyrecentpenetrationtestingresultsandsubsequentremediationplansDemandvendorcertificationsHands-onreviewofdocumentation,processes,securitymetrics,andpersonnelrelatedtoavendor'ssecurityprocessesHands-onreviewofdocumentation,processes,securitymetrics,andpersonnelrelatedtoavendor'sproductdevelopmentprocessesReviewofvendor'ssecurityauditsHands-onreviewofdocumentation,processes,securitymetrics,andpersonnelrelatedtoavendor'ssupplychainsecurityprocessesHands-onreviewofvendor'ssecurityhistoryYouhaveindicatedthatyourorganizationconductsauditsofitsITvendors'securityprocesses.
WhichofthefollowingmechanismsdoesyourorganizationusetoconducttheseITvendorsecurityaudits(Percentofrespondents,N=294,multipleresponsesaccepted)WhitePaper:VMwareandtheNeedforCyberSupplyChainSecurityAssurance82015byTheEnterpriseStrategyGroup,Inc.
AllRightsReserved.
Cybersupplychainsecurityassuranceisthepracticeofmanagingcybersupplychainrisksrelatedtothepeople,processes,andtechnologiesusedtodesign,develop,produce,distribute,andimplementIThardware,software,andservices.
Toparsethisdefinitionfurther,cybersupplychainsecurityassuranceincludes:Secureproductdevelopment.
Thisincludesasecuresoftwaredevelopmentlifecycle,assessment,andtestingofopensourceandthirdpartycodeincludedinvendorproducts,andconsiderationofthecybersecuritypracticesofallcontractorsandsuppliersthatparticipateinsoftwaredevelopmentorhardwarebillofmaterials.
Adequatesecurityskills.
Tominimizerisksassociatedwithhumanerror,productdevelopers,testers,andotherhandlersmusthavesuitableandup-to-datecybersecurityskills.
Therightcybersecurityprocessesandprocedures.
Vendorsmustbacktheirday-to-dayoperationswithcybersecuritybestpracticesforriskmanagement,threatprevention,andincidentresponse.
Additionally,ITvendorsmustemploycybersecuritybestpracticesforinternalITthemselves.
Field-levelcybersecurityexpertise.
EvenwhencybersecurityfeaturesareembeddedinITsystems,overwhelmedcustomersmaynotknowhowtoconfiguredevicesorcustomizesystemsfortheirindividualsecurityneeds.
Vendorswithleadingcybersupplychainsecurityassuranceskillshavefield-levelemployeesorpartnerswhocanhelpcustomersconsumeandbenefitfromproductsecurityfeaturesandfunctionalityupondeploymentandcontinuallyovertime.
Strongcybersecuritycustomersupport.
Whilevendorsshoulddoalltheycantodevelop,distribute,anddeploysecureproducts,theyalsomusthavetherightpreparationforinevitablesecurityvulnerabilities.
Cybersupplychainsecurityassurancedemandsthatvendors'securityteamsmonitorthelatestattacktrendsandworkwiththegreatersecuritycommunitytoensuretimelyawarenessofnewvulnerabilitiesthatcouldimpacttheirproducts.
Oncevulnerabilitiesaredetected,vendorsmustalsohavehighlyefficientprocessesfordeveloping,testing,anddistributingsoftwarepatches.
Finally,vendorsmusthaveahighlytrainedstafftoguidecustomersthroughsecurityfixesasneeded.
TheVMwareTrust&AssuranceFrameworkESGbelievesthatcybersupplychainsecurityassuranceisstartingtohaveamarketimpact,creatingaclearlineofdelineationbetweenITvendorswithtruecybersecuritycommitmentsandthosethatremainbehind.
Sadly,manyITvendorshavenotembracedtherightlevelofcybersupplychainsecurityassurance,puttingtheircustomersatrisk.
Sinceitsformationin1998,VMwareCorporationhasgrownandevolveditsroleatenterpriseorganizations.
Earlyon,VMwareservervirtualizationtechnologywasusedprimarilybyITdepartmentsforsoftwaretestinganddevelopment.
Overtime,largeorganizationsembracedVMwareinproductiondatacentersforserverconsolidation.
Mostrecently,VMwarehasbecomeastrategicITvendoratmanyenterpriseorganizationsasVMwaretechnologyisoftendeployedonendpoints,indatacenters,andacrosspublicandprivatecloudinfrastructure.
AsitadvancedfromtacticaltostrategicITvendor,VMwarefacedapatternofincreasingcybersecurityscrutinyfromdemandingpublicandprivatesectorcustomers.
Toaddressthis,VMwaremanagementintroducedaninternalfocusoncontinuouscybersecurityimprovementseveralyearsago.
ThiseffortculminatedrecentlywithaninitiativecalledVMwareTrust&Assurance,whichiscomposedoffourguidingprinciples:Reliability.
WithintheVMwareTrust&Assuranceframework,thecommitmenttoreliabilityincludes:ProductperformanceandscalabilityinordertoensurethatVMwareproductscanmeetenterprisedemands.
ApervasivecultureofevangelismandeducationtokeepVMwareemployeesandcustomerseducatedandengagedonrapidly-changingcybersecurityrisks.
WhitePaper:VMwareandtheNeedforCyberSupplyChainSecurityAssurance92015byTheEnterpriseStrategyGroup,Inc.
AllRightsReserved.
ResearchdedicatedtoenhancingVMwareproductperformanceandreliabilitywhileworkingwithcustomersonassociatedprojectplanning,testing,deployment,andoptimization.
QualitymetricsandcontinuousimprovementassociatedwithVMwareproducts,people,andpartners.
Integrity.
ThisprinciplealignswithVMware'ssoftwaredevelopmentandcomprises:TheVMwaresoftwaredevelopmentlifecycle.
VMwarehadbuiltadevelopmentprocessthatincludesformalrepeatableprocessesforsoftwaredesign,testing,documentation,release,andongoingsupport.
Complianceandrisk.
Alongwithitspartners,VMwaredevelopedthecompliancereferencearchitectureframework(RAF)thatalignsitstechnologywithregulatorycompliancerequirementsacrossindustries.
Softwaresupplychainmanagement.
VMwareisaddressingitsowncybersupplychainpracticesinanumberofareasincludingIPprotection,sourcecodesharing,riskmanagementassessment,andproactivesoftwaresecurityprogramswithstrategicpartnersandsuppliers.
Privacy.
Toprotectcustomerprivacy,VMwaredefinesitsprivacypolicytocustomers,specifyingwhatdataitcollectsandhowitisused.
VMwarefollowsa"privacybydesign"frameworktoprovidetransparencyonprivacyasitrelatestoproducts,services,andsupport.
Security.
VMwarehasintroducedstrongcybersecuritythroughoutitsorganization.
Examplesofthisinclude:Productsecurity.
VMwarehascreatedaproductsecurityteamresponsibleforoversightofallproductsecurity.
Thisgroupsupervisessecuritydevelopmentprocessesandmetricswitheachproductteamandisresponsiblefordemonstratingcontinuousimprovement.
Securitydevelopmentlifecycle.
Thisextendsbeyondthesecuresoftwaredevelopmentlifecycleandincludessecuritytraining,planning,serviceability,aswellasresponseplanning,productsecurityrequirementsassessment,andoverallsecuritymonitoring.
Thesecurityresponsecenter.
VMwareemploysateamofsecurityresearchers,softwaredevelopers,andsupportstafftofindvulnerabilities,developfixes,andworkwithcustomersandpartnersfortimelydistributionanddeploymentofsecurityfixes.
ITsecurity.
Likealllargeenterprises,VMware'scorporateinfrastructureisundercontinualattacksfrommaliciousindividualsandentities.
Toaddressthisrisk,VMwaremaintainscybersecuritybestpracticesoninternalnetworksandsystems.
Commitment.
Tomakecybersupplychainsecurityassurancepervasiveineverythingitdoes,VMwarehasmadecybersecuritypartofitscorporateculture.
Ofcourse,thisrequiresatruecybersecuritycommitmentincluding:Continuingproductdevelopment.
VMwarehasestablishedacontinuingproductdevelopmentorganization,whichactsasasinglepoint-of-contactforaddressing,escalating,andresolvingproductandcustomercybersecurityissues.
Ecosystemservices.
VMwareunderstandsthatitscybersecuritysupplychainincludesanetworkofhundredsofotherITvendorandservicespartners.
VMwareprovidestechnicalsupport,testing,cooperativesupportservices,andrules-of-engagementtoensurestrongcybersecurityinthefield.
Customeradvocacy.
VMwarerecognizesthatcybersecurityprofessionalsareacommunityoflike-mindedindividualswithafewcommongoals—mitigatingITriskandprotectingcriticalITassetsanddata.
Tosucceed,VMwaredependsuponapartnershipofequalswithVMwareWhitePaper:VMwareandtheNeedforCyberSupplyChainSecurityAssurance102015byTheEnterpriseStrategyGroup,Inc.
AllRightsReserved.
participatinginthecybersecuritycommunityratherthandictatingitsownITvendoragenda.
VMwareseekstofacilitatethisrelationshipwithsecurityresearch,workshops,benchmarks,securityeducation,andsocialmediacampaigns.
WithitsTrust&Assuranceinitiative,VMwareistakinga360degreeperspectiveoncybersecuritythatencompassesitsproducts,partners,customers,employees,andthecybersecuritycommunityatlarge.
Inthisway,VMwarehasnotonlyrespondedtoitsenterprisecustomers'needforgreatertransparencyrelatedtocybersupplychainsecurity,butisalsosettinganexamplethatshouldbeemulatedbyotherITvendors.
TheBiggerTruthCISOsfaceadauntingareaofchallenges.
Cyberthreatsgrowmorevoluminous,sophisticated,andtargetedwhileITinfrastructuregetsmorecomplexasnetworkperimetersdisappear.
Yes,thesechangesdemandanincreasingcommitmenttocybersecurityoversight,riskmanagement,andtightsecuritycontrolsbuttheseeffortssimplycan'tbelimitedtocorporateLANs,WANs,anddatacenters.
Rather,CISOsmustunderstandtherisksassociatedwiththeircybersupplychains,andestablishbestpracticesforcybersupplychainsecurity.
ESGresearchindicatesthatthistransitionisalreadyinprogress,causingmanyorganizationstoauditthesecurityoftheirITproductandservicesvendors.
Leadingedgeenterprisesarealsomakingpurchasingdecisionsbasedupontheirvendors'cybersupplychainsecurityassuranceprograms.
Movingforward,moreorganizationswilllikelyfollowsuit.
UnlikemanyotherenterpriseITvendors,VMwareiswellpreparedforthisincreasinglevelofcybersecurityoversight.
Infact,theVMwareTrust&Assuranceinitiativeisdesignedtomeetandexceedthegrowingneedforgreatertransparencyrelatedtoenterprisecybersecurity.
Assuch,VMwareissettinganexamplefortheITindustryatlarge.
CISOswouldbewellservedtodemandsimilarcybersupplychainsecurityassurancefromALLoftheirstrategicITvendors.
20AsylumStreet|Milford,MA01757|Tel:508.
482.
0188Fax:508.
482.
0218|www.
esg-global.
com