Monthly Archives: September 2022

When it comes to cybersecurity, discovering vulnerabilities is often the easy part. What tends to be challenging is figuring out where to disclose vulnerabilities once you’ve discovered them.

If someone inside your business or supply chain discovers a vulnerability but fails to report it to the people who need to know about it, the vulnerability may as well not have been discovered at all. It’s only by disclosing and reporting vulnerabilities that stakeholders can remediate them, while also taking steps to avoid falling victim to them until their root cause is addressed.

That’s why establishing vulnerability disclosure programs and policies is critical to cybersecurity success – not to mention the overall health of your business. Setting up a VDP places you ahead of competitors who lack one. It also sends a clear message to vendors, customers, partners, employees and other stakeholders that you take cybersecurity seriously and operate with transparency when you discover vulnerabilities. And it establishes clear policies, robust communication channels and backend processes that help you resolve vulnerabilities and risks quickly.

But how do you actually create a security VDP initiative? What goes into a VDP, and how do you ensure your VDP application covers all security requirements? Keep reading for answers to those questions as we walk through the five major components of a VDP “roadmap” that can support teams and project managers when it comes to disclosing and reporting on vulnerabilities and ensuring they get back to the Cybersecurity Infrastructure and Security Agency (CISA). CISA which plays a leading role in managing vulnerabilities (and which has also, incidentally, developed a new VDP platform because it recognizes how crucial – and challenging – effective VDP security can be).

VDP security step 1: Outline your goals

Creating a VDP to reinforce your security strategy starts with determining exactly what you hope to get out of your VDP.

Ask questions such as:

• What is the driving factor for your VDP? Having a clear VDP program is essential if you want to work with US officials. Do you want to promote increased security, improve coordination between teams, increase vulnerability visibility or something else? While VDP security operations can do all of these things, you may choose to prioritize one of them in particular.
• What are your main VDP pain points? What’s currently getting in the way of vulnerability disclosure? Is it a lack of employee education or lack of communication channels, for instance?
• What role does your VDP play in your overall business? VDPs don’t just serve security purposes. They can also help you achieve business goals by developing a unique selling proposition..

Once you know your main VDP security goals, you can build and use a VDP application tailored to them.

VDP security step 2: Assign responsibilities, develop policies

To start building your program, you need to map responsibilities to stakeholders, then establish policies that define who does what within the context of vulnerability disclosure. CISA offers a template that may be helpful for this purpose.

Identify, for starters, who needs to be aware of the program and who needs to participate in it. Then go deeper by defining specific responsibilities for collecting, analyzing and reporting on vulnerabilities.

Outline as well which security policies your vendors need to adhere to, and how you’ll keep those policies up-to-date. And determine whether vulnerability disclosers will be allowed to remain anonymous. An anonymous disclosure does not make the disclosure any less important. A researcher may simply not want their name on any of the disclosure notes.

Ultimately, your goal during this step should be to lay the groundwork for a community that helps itself with vulnerability disclosure and management. 

VDP security step 3: Integrate VDP into your processes

Vulnerability disclosure processes shouldn’t exist in a silo. Instead, they should be integrated into your routine business operations, and your VDP policies map should reflect this.

For example, your VDP should outline how software development, testing and deployment operations interface with VDP reporting requirements. It should also define exactly which tests should be run in an effort to discover vulnerabilities.

By establishing these processes, you not only gain efficiency when it comes to managing vulnerabilities. You also set clear guidelines that employees, researchers and vendors should follow to ensure that all vulnerabilities are discovered and disclosed effectively. You should give CISOs and researchers enough scope so that they can provide valuable feedback, but not so much scope that your team can’t keep up with the incoming reports. 

These policies may also help to drive VDP automation by making it possible to automate VDP discovery and reporting within the context of routine business operations. Education is key across the organization and a security culture needs to be embedded into the fabric of your business. 

VDP security step 4: Evaluate vendors

Once you’ve determined which VDP policies your business needs to meet, it’s time to evaluate your vendors and perform due diligence to confirm that they align with your requirements.

Rank your vendors according to their overall security postures. You can sort them into three categories: High security, medium security or low security.

From there, choose which vendors require more monitoring, and which pose such security risks that you can’t work with them. You should also highlight vendors with excellent security records, since you may want to target them for long-term partnerships.

To validate your vendor assessments, collect documentation, including the frameworks and security rules that the vendors adhere to internally. Keep these documents secure and update them periodically because they may change.

Read here: All you’ve ever wanted to know about Vulnerability Disclosure Programs (VDPs)

VDP security step 5: Continuously monitor and audit VDP compliance

After rolling out your VDP policies and vetting vendors, you need to monitor, measure and audit continuously to ensure that stakeholders continue to follow the guidelines. Your goal here is to ensure that everyone – including internal users like your employees, as well as vendors and other external parties – remain in compliance with VDP policies you establish.

To make this process efficient, you’ll want to automate it as much as possible. Automation also ensures that you can scale your business as VDP requirements grow continuously more complex, and as you integrate more vendors and other stakeholders into your operations.

With VDP, everyone wins (except the bad folks)

Establishing clear, transparent and actionable VDP rules is a win-win for everyone (except, of course, the threat actors who want to exploit vulnerabilities). It lays the foundation for effective collaboration while also strengthening relationships with both internal and external stakeholders. And it facilitates the fast resolution of vulnerabilities and breaches by getting vulnerability data to organizations like CISA as rapidly as possible.

Findings bakes VDP into  their platform, making VDP security an effortless operation. With Findings, you can both discover and report on vulnerabilities across your business’s supply chain. Findings bakes the “switch” for vulnerability disclosure directly into your business operations, making your VDP processes efficient, scalable and all-encompassing.

Learn more by signing up for a Findings demo.

Going forward, businesses need a new strategy for vetting and monitoring the compliance of their suppliers. But don’t just take our word for it. These are among the takeaways from Gartner’s latest guidance on supply chain compliance and management. 

Gartner highlights why conventional supplier onboarding methods no longer work as businesses need to onboard suppliers quickly, while also ensuring that suppliers meet their compliance requirements.

The global supply chain compliance crisis

You probably already know that supply chains are under stress, to put mildly. Gartner points to a couple of main reasons why:

• Businesses are increasingly working with suppliers from new geographic regions, where compliance norms may be different. This complicates onboarding and requires a deeper level of compliance inspection.
• Organizations often need to add vendors quickly in order to keep their supply chains moving. Yet, without a fast onboarding process, integrating suppliers is time-consuming, which increases the stress placed on supply chains.
• We’d also add, that issues like global sanctions, which have become especially pronounced as a result of the ongoing Ukraine-Russia war, add even more complexity to vendor onboarding. 

We agree wholeheartedly that these are among the key reasons why supply chain compliance and management have become so challenging for the typical business today.

Today, you have to worry not only about whether your vendors meet standard compliance rules, but also about potential sanctions that are subject to constant change. This adds yet more unpredictability and complexity to the onboarding process.

Add to that the surge in supply chain cyber security risks, and it’s no exaggeration to say that operating efficient, compliant supply chains has never been tougher than it is at present.

How to streamline supply chain compliance

Gartner suggests three main strategies for addressing the supply chain compliance challenges that businesses currently face.

1. Create a playbook for vetting vendors

First, Gartner recommends creating a “playbook that grades each third party’s threat level to determine who gets more attention from the business and compliance.”

The idea here is that you can develop preset policies to analyze vendors rapidly during and after the onboarding process. Your policies should reflect information like which risks have impacted your business in the past and how closely a given vendor matches the risk profile of other vendors who have posed challenges.

We love this idea not only because it helps businesses to be proactive in their approach to vendor compliance, but also because it lays the groundwork for compliance automation. Playbooks make it possible to implement vendor compliance validation automatically within a security platform, which could sort vendors into high-risk, medium-risk and low-risk categories

This may be of interest to you:

 A CISO’s VDP security roadmap based on criteria defined in the playbooks

2. Automate supply chain compliance

The piece quotes Chris Audet, Senior Director of Research at Gartner, who says, “Compliance leaders must move quickly to onboard third parties and effectively monitor for risks, but many of their traditional methods won’t cut it.”

The way to move quickly and monitor for risks comprehensively is to automate risk detection. Automation can help you collect the information you need to make good decisions about vendor risks. It can also automatically flag risks with the help of advanced analytics, and it can help you keep up-to-date as vendor profiles change. In all of these ways, automation helps businesses to complete vendor onboarding quickly, even if they have an increasing number of vendors to vet and face increasing complexity due to new compliance mandates, new sanctions rules or diverse vendor geographies.

3. Streamline upfront due diligence

As another way to speed up onboarding, Gartner advises businesses to “streamline due diligence to focus on critical risks.” It suggests doing this by reducing the number of questions you ask vendors to answer manually. Focus validation around critical risk areas, Gartner suggests, rather than asking a large number of questions that may not be relevant for every vendor.

We agree. We’d add, though, that it’s important to leverage automation wherever possible to collect as much data as you can about supplier insurance, safety, environment and sustainability initiatives, legal and financial data and any other information that can be helpful for gaining a 360-degree view of your suppliers and sub-suppliers. With automation, it’s possible to onboard rapidly without compromising on your visibility into supply chain compliance.

Bonus advice: Establish a compliance-focused company culture

We think Gartner did a great job of capturing much of what it takes to achieve supply chain compliance. But we’d suggest another strategy that Gartner hasn’t mentioned: Building a compliance-centric culture.

A compliance-centric culture is one that maximizes collaboration and communication related to compliance. It aligns compliance with vendor expectations, and it allows all stakeholders – both internal and external ones – to share information rapidly in order to manage compliance and supply chain cyber security risks.

Findings helps you to build this culture by providing a platform that anyone can use to raise compliance flags automatically. With Findings, you get holistic compliance that protects your entire supply chain, while also benefiting from automations that allow you to onboard vendors rapidly.

Learn more about how Findings can help you to streamline your compliance.