Below the Surface: The Supply Chain Security Podcast

Stewart and Trey join us to talk about driving cybersecurity policies for the nation, what makes a good policy, what makes a bad policy, supply chain research and policies, and overall how we shape policies that benefit cybersecurity.

Segment Resources:

• https://www.atlanticcouncil.org/in-depth-research-reports/report/broken-trust-lessons-from-sunburst/
• https://www.atlanticcouncil.org/in-depth-research-reports/report/open-source-software-as-infrastructure/

This segment is sponsored by Eclypsium. Visit https://securityweekly.com/eclypsium to learn more about them!

Gain insights into the CISA KEV straight from one of the folks at CISA, Tod Beardsley. Learn how KEV was created, where the data comes from, and how you should use it in your environment.

This segment is sponsored by Eclypsium. Visit https://securityweekly.com/eclypsium to learn more about them!

Resource: https://cisa.gov/kev

Jay Jacobs Co-Founder and Data Scientist and Wade Baker Co-Founder; Data Storyteller from The Cyentia Institute come on the show to talk about The Exploit Prediction Scoring System (EPSS).

This segment is sponsored by Eclypsium. Visit https://securityweekly.com/eclypsium to learn more about them!

Ed Harris joins us to discuss how to secure OT environments, implement effective air gaps, and more!

This segment is sponsored by Eclypsium. Visit https://securityweekly.com/eclypsium to learn more about them!

We discuss the various aspects of Mitre Att&ck, including tools, techniques, supply chain aspects, and more!

This segment is sponsored by Eclypsium. Visit https://securityweekly.com/eclypsium to learn more about them!

Cassie has a long history of successfully managing a variety of security programs. Today, she leads supply chain efforts for a very large product company. We will tackle topics such as software supply chain management, SBOMs, third-party supply chain challenges, asset management, and more!

This segment is sponsored by Eclypsium. Visit https://securityweekly.com/eclypsium to learn more about them!

Bob Martin comes on the show to discuss systems of trust, supply chain security and more!

This segment is sponsored by Eclypsium. Visit https://securityweekly.com/eclypsium to learn more about them!

Jason joins us to discuss the current enterprise landscape for defending against supply chain attacks, remediating firmware issues, and the current challenges with patch management.

This segment is sponsored by Eclypsium. Visit https://securityweekly.com/eclypsium to learn more about them!

Casey recently was involved in an event that brought hackers and 5G technology together, tune-in to learn about the results and how we can use bug bounty programs to improve the security of "things".

This segment is sponsored by Eclypsium. Visit https://securityweekly.com/eclypsium to learn more about them!

In this episode, we disccuss digital supply chain governance and compliance, featuring Josh Marpet from Guarded Risk, hosted by Paul Asadorian and Alan Alford. Specifically, we discuss:

• The importance of understanding and complying with regulations affecting digital supply chains, such as Executive Order 14028 and the NIST Cybersecurity Framework.
• The podcast highlighted the impact of EU regulations, like CRA, GDPR, and DORA, on global businesses, underscoring the shared responsibility model in data security.
• Vendors' duties in open-source security and software vulnerability management were discussed, with a call for automation in software inventory and security, including the use of SBOMs.
• The conversation included strategies for effective supply chain risk management, advising regular updates, and understanding the interconnectedness of vulnerabilities.
• International compliance, particularly with EU data security laws, presents operational challenges and necessitates robust cybersecurity measures.
• Proactive vendor communication and automated processes are crucial for managing cybersecurity threats efficiently.

• Continuous risk assessment is preferred over periodic checks, with an emphasis on a nuanced approach to cybersecurity risk management.

• (00:00) - Digital Supply Chain Governance Compliance

• (14:08) - EU Regulations on Data Security

• (21:38) - Responsibility of Vendors in Open Source

• (27:49) - Supply Chain Risk Management Program Advice

• (39:01) - Automating Software Inventory and Security

This segment is sponsored by Eclypsium. Visit https://securityweekly.com/eclypsium to learn more!