I’m so excited to be available to small and medium businesses looking to implement #privacybydesign and #securitybydesign as one of many SMEs who can be leveraged through Zatik Security's fractional security model.
But #SMBs won’t be able to shift the insecure tech landscape *all* of us are operating in on their own.
As this year’s #DBIR (available at verizon.com/dbir) stated in its introduction of the #supplychain #interconnection metric on page 13, “calculated a supply chain interconnection influence in 15% of the breaches [they] saw... [representing a] 68% year-over-year growth.” Then on page 14, just as Cybersecurity and Infrastructure Security Agency, 👑 Kymberlee Price, Joshua Corman, and countless others, including myself, have said: “As much as we can argue that the software developers are also victims when vulnerabilities are disclosed in their software and sure, they are), the incentives might not be aligned properly for those developers to handle this seemingly interminable task [of remediating every vulnerability]. These quality control failures can disproportionately affect the customers who use this software... This metric ultimately represents a failure of community resilience and a recognition of how organizations depend on each other.” The writers go on to say, “We recommend that organizations start looking at ways of making better choices so as not to reward the weakest links in the chain... we believe the only way through is to find ways to hold repeat offenders accountable and reward resilient software and services with our business.”
The fact of the matter is, the only organizations capable of doing this across the supply chain are the Big Players (with BIG contracts) in highly regulated industries—especially Finance and TeleCom—who can *both*
1) hire the talent required to really dig in to the evidence of their vendors’ security posture, and
2) then throw the weight of those BIG contracts around to incentivize substantive improvement.
Demand to see vulnerability scans. Demand to see FULL #pentest and #BCDR results, not whatever watered down summary they’re going to offer you. You’re the only ones who can.
I sat on one side of that table (I wrote those summaries), and I’d *love* to sit on the other. If your company is serious about #supplychainsecurity, #securesoftwaredevelopment, and exceeding the minimum that is “compliant,” let’s talk.
I believe in building better I know how to architect, implement, and communicate systems deserving of trust (and how to evaluate and determine systems undeserving of trust). The only way we can turn the tables on bad actors is together, by shifting all three points of the Technology Ecosystem Triangle—Supply, Demand, and Regulation/Oversight-- together. So in the wise words of Bender, let's gooo alreaddayyyy. 😎