Securing the supply chain

Security of the supply chain will be a dominant theme of this year. It’s not been addressed sufficiently well in the past, but compliance demands are beginning to twist people’s arms. In fact there are several different security problems associated with the supply chain. Firstly, our current policies and standards don’t suit smaller contractors. Secondly our software development methodologies don’t include enough security measures. And thirdly our sources of technology products are vulnerable to back doors and Trojans.

My New Year’s resolution is to contribute to emerging solutions in these areas. This quarter I’ll be focusing on the small company problem. I find it staggering that we haven’t made much progress in this area. Twenty years ago when I was in Shell, developing the basis for BS7799, we recognised that a much smaller, concise standard would be more appropriate for small Shell companies. Yet today, it’s hard to find much published security guidance that’s suitable for small or medium sized companies. I believe that we need to go back to the drawing board and develop something new. It’s not that difficult.

While I’m researching this area, I’d be interested to hear views on what approach, standards, advice and priorities might be most appropriate for implementing security in small companies. If we haven’t cracked this problem by the middle of this year I’ll be highly disappointed.