Securing the supply chain: the world after SolarWinds

10th e-Crime & Cybersecurity France
30 March 2021, Online

Securing the supply chain: the world after SolarWinds


After almost a year of on-off COVID-lockdowns, CISOs could be excused for struggling with the challenge of maintaining security in a fluid, hybrid work environment. Simply keeping on top of the basics, like ransomware, is a full-time job. Just ask French IT services giant Sopra Steria. It just announced that a Ryuk ransomware attack has cost it between €40 million and €50 million.

But in addition to that, they are also scrambling to protect the ever-expanding attack surface that is being created by accelerated digitalization. Companies have no choice but to embrace e-channels across their businesses, and their customers and suppliers are doing the same. Securing these websites, apps, payment channels and customer interfaces is non-trivial and may require a rethink of security and development environments.

The IoT is also becoming a significant blip on CISOs radars. More accurately thought of as a vast ecosystem of sensors, the IoT generates huge volumes of sensitive data from devices mostly not built with security in mind. Just tracking which devices are on your network is complicated. And if we return to office working, the smart buildings in which we work are full of potential security flaws.

Data privacy of course, IoT related and not, is critical. While many CISOs still believe privacy beyond their security remit, this distinction will become unsustainable. French firm Predicio recently found itself in the spotlight over its role in the secretive world of the collection and selling of mobile location and other personal data, a market that raises many questions about how companies protect personal data and how they define authorised and unauthorised data usage. Schrems II is just the beginning.

On top of all that, CISOs now have to grapple with the implications of SolarWinds. Third-party security was already one of the most difficult challenges CISOs faced. But Solar Winds shows that your own security vendors can be your weakest link. It shows that state-actors may be your biggest risk. And it shows that third-parties remain the most dangerous vector for committed cybercriminals.

So, what can CISOs do about third-parties when digitalization, the IoT and remote work already stretch teams to the limit? How can security teams scale to the threatscape, without demanding an unsustainable level of resources? And what are today’s security priorities?

  • Securing third-parties and the supply chain

    • Ever since Target and their air-conditioning supplier, third-parties have been the CISO’s Achilles’ heel.
    • Now, your vendors – including IT and cybersecurity solution providers – are the targets of sophisticated state-actors. How do you secure your security?
    • What about other third parties? If cybersecurity experts can be compromised, what hope is there for the rest?
  • Performing critical security tasks remotely - how can CISOs regain control?

    • Employees for whom long-term, secure remote working processes hadn't been set up in advance will not just be outside centrally controlled endpoint protection processes, they'll be beyond any patching and update processes.
    • Many security tools depend on being on the local network. How can security teams manage the basics remotely?
    • Will remediation and reimaging capabilities work as intended in a remote environment? What updates are needed to incident response playbooks?
    • Most organisations have 'abandoned' their existing office environments - including all the devices within them. These need to be monitored and protected too. Can it be done remotely?
  • Getting the better of ransomware

    • Ransomware has come a long way from ‘spray and pray’ phishing emails and website popups
    • Today’s organised criminals want a better ROI, and to achieve it they’re using focused attacks and more sophisticated methods
    • Is better security the answer? Or just better backup and recovery solutions?
  • Maintaining the human firewall

    • With normal security measures compromised, employees are an even more critical frontline against cyberthreats - but they're stressed, and separated from coworkers they could ask about suspicious calls or emails.
    • What can cybersecurity teams do to help their colleagues protect themselves and the business?
    • Scammers are taking advantage of the situation - does email security need to be ramped up, even if it affects productivity? Are there other solutions?
  • Is there any defence against a determined state attacker?

    • Five years ago, most companies would have dismissed the possibility of state actors being interested in their firms
    • Even then, the scale of IP theft and espionage was in fact huge – but the SolarWinds hack reveals the severity of the problem
    • How can companies defend themselves, and what are their own states doing to help them?
  • Securing the customer - are your websites up to it?

    • The immediate need to move to online business channels creates a host of security and monitoring challenges
    • Are existing websites scalable to securely meet additional customer demands?
    • Do you rely too heavily on a single supplier? And what about the recent security changes to browsers such as Chrome which impact existing websites?
  • Stuck in the Cloud

    • Most companies have been forced to rely on Cloud-based apps and storage
    • So, they need visibility and controls, they need logs from providers to review for unauthorised access and data exfiltration, and they need to limit unauthorised access and services.
    • And what do their Cloud contracts say about force majeure?
  • How CISOs can deliver resilience

    • Forced, rapid digitalisation has revealed the fragmented nature of many security programmes - but fragmentation fails the business ecosystem
    • To protect the business while enabling innovation and flexibility means new models and approaches for cyber
    • Are automation and orchestration the answer?
  • Cloud Native and baked-in security

    • As companies ramp up digital business models it is crucial that they build security in from the start
    • Given the pace at which change is happening, this is a big ask – even before COVID-19 many companies prioritised speed over security
    • What can cybersecurity teams do to change this? Is this a CIO vs CISO battle?

Who attends

Job Titles

Directeur de mission
RSSI
Ingénieur SSI
PCI Manager
Chargé de mission
RSSI
I.T. Security Architect
Legal Counsel
Ingénieur de Production
Directeur Général
CISO/RSSI
Chargé de mission SSI
Chargé de Mission
InformationSecurity Expert
Directeur informatique
RSSI
CISO
Responsable Sécurité
Responsable Support
RSSI
CISO
RSSI
RSSI
IT Security Architect
CISO - RSSI
Global Securite de Production
Cybersecurity Director
RSSI
IT Manager
Responsable écurité
Information Security Manager
RSSI
Expert Sécurité SI
RSSI
I.T. Security Officer
RSSI
Risk Manager
RSSI
Group Deputy CSO
RSSI
Cellule Anti Abus
Data Privacy & Security
Product manager
Information Security Officer
RSSI Groupe
Vice-Président
CISO
Manager, IT Advisory
RSSI
Industry Relations
RSSI / CISO
I.T. & Security Internal Auditor
Responsable de la gouvernance SSI
Responsable cellule e-fraude
CISO
Operations Manager
Risk Manager
Réseau SSI
RSSI
Group Information Security Officer
Chef de projet sécurité
Responsable du SOC
RSSI
Head Cyber and Tech
IT Security
RSSI
Head of software engineering
Group Information Security Officer
Head of Content Security
Investigateur
RSSI
Senior IT Security Consultant
Chef de Projets SOC
CISO
IT Manager
RSSI, Directeur IT
RSSI
RSSI
RSSI
Ingénieur
Head of Anti-Fraud
Head of Professional I & M
Expert Sécurité
Group IT Security Officer
Access Solution Service Manager
RSSI
Directeur Infogérance
Expert SSI
RSSI
RSSI
IT Project Manager
Responsable ADV & Logistique
Chef de projet Sécurité
Responsable Global Cyber Securite
SI Security Expert
Directeur de l'Innovation
RSSI-CIL
E-Payment Project Manager
RSSI
Directeur Sécurité
Directeur Sécurité du SI
Information Security & Risk
Expert Technique
Cellule e-Fraude
Business Security Officer
IT Auditor
Global CISO
RSSI-O
IT Security Officer
Group CISO
RSSI
Direction des Systèmes d'Information
IT Security Consultant
Chief Security Officer
RSSI
Architecte SI
Inspecteur, auditeur en SI
RSSI
RSSI/CISO & PMO
Directeur Risques et Securité
RSSI
M2M Partnership Manager
Project Manager
IT Security Consultant
Information Security Manager
CSO - Responsable Securité
RSSI
RSSI
CISO - RSSI
CISO
Cybercrime Director
Network & Security Engineer
Senior legal counsel
I.T. Senior Risk Advisor
Directeur
CISO
Directeur des Opérations
RSSI
Ingénieur sécurité réseau
Directeur programme SSI
RSSI
Chief Information Security Officer
Sécurité des Systèmes d'Information
IT Security Expert
Information Security Risk Manager
Security Manager
Police officer
Head of IT Infrastructure
Directeur cyber-défense
Lutte contre la Fraude
Group Security Officer
Product Manager
Sécurité Opérationnelle Internet
Trustee
RSSI
Network & Security Engineer
CSIRT
Equipe RSSI
RSSI
RSSI

Companies

SNCF
Camaïeu SA
CNES
Credit Mutuel
SNCF
Council of Europe
Air France-KLM
Crédit Agricole
CDC Arkhineo
SnapElite
Coface
UGAP
Préfecture de Police
BNP Paribas
FlightSafety
Neuflize OBC
Banque Privée 1818
GMX
Ministère de la Justice
BNP Paribas Wealth Management
AREVA
Prosodie
Euromaster
BNP Paribas
Viadeo
BNP Paribas
AXA
Armatis-LC
Euler Hermes
Groupe Beaumanoir
Sodexo
vivarte
Auchan
Groupama Asset Management
BNP Paribas
Éditions Gallimard
Université Paris Dauphine
Fondation de France
GDF SUEZ
Clarins Group
La Poste
GE Capital
LCL
Staples
BNP Paribas
EESTEL
Assistance Publique - Hôpitaux de Paris
Deloitte & Touche
Voyages-SNCF
La Poste
EQIOM
LCH Clearnet
Société Générale
Société Générale
Groupe Galeries Lafayette
La Française des Jeux
Vies De Paris
SNCF
Pari Mutuel Urbain
Air France-KLM
Arval
CNAMTS
Xerox
Swiss Re
STET
Veolia Eau
GMX
Mondial Assistance
Orange
GAPA Investigations Privées
AREVA
Total
CNAMTS
Groupe Pasteur Mutualité
NEVA GROUP
Assistance Publique - Hôpitaux de Paris
Université Paris Dauphine
La Banque Postale
Generali
Enterprise Holdings
Société Générale
Zurich Financial Services
Kering
ArcelorMittal
Sanofi-Aventis
Norauto
La Poste
Pari Mutuel Urbain
SnapElite
Ministère de l'Economie et des Finances
EDF Energy
SFR
Vente-privee.com
BNP Paribas
Société Générale
Monext
Promod
Parkeon
Institut National de l'audiovisuel
L'Oréal
Crédit Foncier
BNP Paribas
La Poste
Société Générale
Automatic Data Processing
Société Générale
Chanel
Boursorama
Delta Lloyd Group
Plastic Omnium
EuropCar
Aéroports de Paris
GDF SUEZ
Coface
Société Générale
Camaïeu SA
Banque de France
Mairie de Paris
Auchan
La Poste
Groupe Samse
SFR
La Poste
STET
Heineken
AXA
Banque de France
Partecis
Adisseo
Les Echos
Police Nationale
Publicis
Crédit Agricole
Chubb (ACE Group)
NEVA GROUP
Radio France
Orange
Humanis
Publicis
EDF Energy
Conseil Général de la Manche
DAHER
MMA
La Française des Jeux
Bombardier
Renault
Police Nationale
Société Générale
Faurecia
Société Générale
EDF Energy
Monext
HSBC
CLUSIF
Recylum
Kering
BNP Paribas
Boursorama
Sodexo
Monext

Industries

Transportation/Shipping
Retail
Central Government
Banking
Transportation/Shipping
Central Government
Transportation/Shipping
Banking
Security Product Vendor
Software
Insurance
Retail
National Law Enforcement
Banking
Aerospace/Defence
Banking
Banking
Software
Central Government
Banking
Construction
Banking
Retail
Banking
Media
Banking
Insurance
Telecommunications
Banking
Manufacturer
Travel/Leisure/Hospitality
Manufacturer
Retail
Banking
Banking
Media
Education
Charity
Oil/Gas
Pharmaceuticals
Transportation/Shipping
Industrial Engineering
Banking
Retail
Banking
Association
Healthcare Services
Accounting/Auditing
Travel/Leisure/Hospitality
Transportation/Shipping
Construction
Banking
Banking
Banking
Retail
Casinos/Gaming
Other Industry
Transportation/Shipping
Casinos/Gaming
Transportation/Shipping
Automobiles/Parts
Insurance
Electronic/Electrical Equipment
Insurance
Banking
Water/Sewage
Software
Insurance
Telecommunications
Consultancy
Construction
Oil/Gas
Insurance
Healthcare Services
Consultancy
Healthcare Services
Education
Banking
Insurance
Transportation/Shipping
Banking
Insurance
Retail
Industrial Engineering
Pharmaceuticals
Automobiles/Parts
Transportation/Shipping
Casinos/Gaming
Software
Central Government
Electricity
Retail
Retail
Banking
Banking
Banking
Retail
Electronic/Electrical Equipment
Media
Household/Personal Products
Banking
Banking
Transportation/Shipping
Banking
Software/Hardware
Banking
Retail
Banking
Insurance
Manufacturer
Automobiles/Parts
Transportation/Shipping
Oil/Gas
Insurance
Banking
Retail
Banking
Regional Government
Retail
Transportation/Shipping
Construction
Retail
Transportation/Shipping
Banking
Food/Beverage/Tobacco
Insurance
Banking
Banking
Food/Beverage/Tobacco
Media
Central Government
Media
Banking
Insurance
Consultancy
Media
Telecommunications
Banking
Media
Electricity
Regional Government
Aerospace/Defence
Banking
Casinos/Gaming
Manufacturer
Automobiles/Parts
Central Government
Banking
Automobiles/Parts
Banking
Electricity
Banking
Banking
Association
Other Industry
Retail
Banking
Banking
Travel/Leisure/Hospitality
Banking