Supply Chain Security w/ Omkhar Arasaratnam

Today, host and CISO Allan Alford interviews Omkhar Arasaratnam, a veteran of the cybersecurity industry, on the topic of supply chain security. With a career in security going all the way back to 2004, and with experience working for IBM and several financial institutions before becoming an Engineering Director at Google, Omkhar brings much hard-earned insight to the table! Looking to tap into that insight, Allan poses two questions for Omkhar. First, how would he characterize or define supply chain security and its implications? And second, how would he explain the SolarWinds breach and its fallout? Omkhar centers his thoughts on the SolarWinds situation, a costly breach in which hackers manipulated a code base and used it as a leverage point to gain access to high-worth targets. This attack required precision and focus, and is of the first public breaches; however, Allan and Omkhar imagine that there will be copycat attacks to come, and that the attack is a wake up call for all those with access to client data to step up their supply chain security. Both providers and consumers with a hand in supply chain security have a responsibility to tighten their controls. Supplier checks should be more frequent, software suppliers need to be very buttoned-down in how they control their entire build architecture, and those overseeing supply chain security need to carefully navigate the available vehicles for managing supply chain risk. These vehicles, including questionnaires, right to audit, open source/credit-check style tools, and GRC tools, all have benefits and drawbacks, and no company manages supply chain security perfectly. With a lot of sympathy for SolarWinds, though, Allan and Omkhar think that further work needs to be done in the cybersecurity space to bolster supply chain security measures. Omkar details his own “black box” idea, which he imagines would be a strong component of a more comprehensive security protocol. Allan explains how this comprehensive protocol could function, and while making such a system an international standard is far off, Omkar and Allan agree that there are tools in place for cybersecurity professionals to move toward a better system. There are issues of risk to weigh, myriad solutions to compare, and precursor tasks to address, but it’s time to get a conversation going that will ideally lead to change! Key Takeaways: 1:10 - Allan asks Omkhar to share about his background before jumping into the main topic. 1:53 - Allan has two questions for Omkhar. 5:09 - Consumers and providers have a responsibility to step up their game. 7:41 - The conversation shifts toward the vehicles for managing supply chain risk. 9:05 - What’s Omkhar’s take on the open source/credit score-style check? 11:55 - Allan and Omkhar turn to Omkhar’s black box idea. 17:22 - Omkhar thinks highly of Allan’s comprehensive approach, but there are obstacles. 21:50 - What are these obstacles, and what is the needed precursor work? 26:20 - As the conversation ends, Allan asks about Omkhar’s motivation and passion. Links: Follow Allan Alford on LinkedIn and Twitter Learn more about Hacker Valley Studio and The Cyber Ranch Podcast Learn more about Omkhar Arasaratnam on LinkedIn. Sponsored by our good friends at AttackIQ