The most important thing to achieve in information security in 2012 is supply chain security, writes Adrian Davis, principal research analyst at in Information Security Forum (ISF).
Over the past six years, the ISF has conducted a yearly forward-looking exercise called the Threat Horizon. In this exercise, we draw on the expertise of our members, academics and futurologists to examine the global trends and challenges organisations and information security will face, using the business-oriented PLEST (political; legal and regulatory; economic; socio-cultural; technology) framework.
Our Threat Horizon has constantly flagged up both the dependence of organisations on their supply chain and the very real risks and vulnerabilities supply chains present.
Global standard for supply chain security
So, from the ISF’s viewpoint, the most important nut to crack is supply chain security. The ultimate aim should be a globally accepted, adopted and scalable supply chain security assessment standard and approach that is cost effective and generally accepted across the business and government communities.
Such a standard would provide a methodology, a process to identify supply chain risks and assess them, a baseline information security standard, and a method of consistently and regularly assessing and comparing the information security status of the organisations in the supply chain. Applied globally, it would set the bar for a supply chain, provide a way to assess and demonstrate security status, and offer a firm foundation to specify and build security solutions.
Securing the supply chain in 2012
So is securing the supply chain a dream or reality for 2012?
We at the ISF believe it can happen and are working to solve this problem for our members and the industry as a whole. We have created the common baseline for external suppliers and are looking to expand the range of tools and techniques our members can use to secure their supply chain.
In addition, we are working on the draft ISO/IEC 27036 Standard on Information Security in Supplier Relationships; aligning with the Common Assurance Maturity Model; and forming alliances with the Cloud Security Alliance. Watch this space.