At the recent RSA Conference 2024 in San Francisco, IT security experts Cassie Crossley and Sean Martin engaged in a deep and enlightening conversation about the current landscape of software supply chain security.
Guest: Cassie Crossley, VP, Supply Chain Security, Schneider Electric [@SchneiderElec]
On LinkedIn | https://www.linkedin.com/in/cassiecrossley/
On Twitter | https://twitter.com/Cassie_Crossley
On Mastodon | https://mastodon.social/@Cassie_Crossley
____________________________
Hosts:
Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]
On ITSPmagazine | https://www.itspmagazine.com/sean-martin
Marco Ciappelli, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining Society Podcast
On ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/marco-ciappelli
____________________________
Episode Notes
This discussion shed light on various aspects of cybersecurity, technology, and the evolving role of IT professionals in addressing the challenges of the digital age.
The conversation kicked off with Sean Martin providing a warm welcome to the audience as he introduced the topic of software supply chain security. Cassie Crossley shared insights from her extensive experience in cybersecurity at Schneider Electric, emphasizing the critical importance of safeguarding product security and supply chain integrity.
Embracing Innovation and Resilience in Cybersecurity
The discussion dive into the concept of resilience in cybersecurity and the need for proactive risk management strategies. Both speakers emphasized the importance of leveraging AI-driven decision-making processes to enhance efficiency and reduce false positives in security operations. They also highlighted the role of machine learning and behavior analytics in strengthening cybersecurity posture.
Bridging the Gap between IT and Business Objectives
Crossley and Martin discussed the evolving role of IT professionals in bridging the gap between technical cybersecurity measures and broader business objectives. They stressed the significance of aligning cybersecurity initiatives with the overall strategic goals of the organization and fostering communication between C-suite executives and security professionals.
Navigating the Complexities of Hardware Development and Cybersecurity
The conversation also touched upon the complexities of hardware development and the unique challenges faced in securing chipboards and other hardware components. Crossley highlighted the nuances of cybersecurity in defending against a myriad of potential threats and underscored the need for robust verification processes in hardware security.
Empowering Businesses with GRC Controls and Cybersecurity Best Practices
As the discussion progressed, Crossley shared practical insights from her book on software supply chain security, emphasizing the essential GRC controls and cybersecurity best practices that organizations can implement to enhance their security posture. She highlighted the need for startups and companies to prioritize cybersecurity measures despite budget constraints.
Concluding Thoughts and Looking Towards the Future
In wrapping up the conversation, both speakers expressed optimism about the future of software supply chain security and the potential for innovation in AI-driven cybersecurity technologies. They encouraged businesses to prioritize cybersecurity education, resilience planning, and proactive risk management to stay ahead of emerging threats.
The engaging discussion between Cassie Crossley and Sean Martin at RSA Conference 2024 provided valuable insights into the evolving landscape of software supply chain security and the key challenges facing cybersecurity professionals. As organizations navigate the complexities of the digital age, proactive cybersecurity measures and a strategic alignment with business objectives are essential for safeguarding critical assets and maintaining a strong security posture.
Be sure to follow our Coverage Journey and subscribe to our podcasts!
____________________________
Follow our RSA Conference USA 2024 coverage: https://www.itspmagazine.com/rsa-conference-usa-2024-rsac-san-francisco-usa-cybersecurity-event-infosec-conference-coverage
On YouTube: 📺 https://www.youtube.com/playlist?list=PLnYu0psdcllS-B9eaPcHUVmy_lGrbIw9J
Be sure to share and subscribe!
____________________________
Resources
Learn more about RSA Conference USA 2024: https://itspm.ag/rsa-cordbw
____________________________
Catch all of our event coverage: https://www.itspmagazine.com/technology-cybersecurity-society-humanity-conference-and-event-coverage
To see and hear more Redefining CyberSecurity content on ITSPmagazine, visit: https://www.itspmagazine.com/redefining-cybersecurity-podcast
To see and hear more Redefining Society stories on ITSPmagazine, visit:
https://www.itspmagazine.com/redefining-society-podcast
Are you interested in sponsoring our event coverage with an ad placement in the podcast?
Learn More 👉 https://itspm.ag/podadplc
Want to tell your Brand Story as part of our event coverage?
Learn More 👉 https://itspm.ag/evtcovbrf
Exploring the Future of Software Supply Chain Security | An RSA Conference 2024 Conversation with Cassie Crossley | On Location Coverage with Sean Martin and Marco Ciappelli
Please note that this transcript was created using AI technology and may contain inaccuracies or deviations from the original audio file. The transcript is provided for informational purposes only and should not be relied upon as a substitute for the original recording, as errors may exist. At this time, we provide it “as it is,” and we hope it can be helpful for our audience.
_________________________________________
[00:00:00] Sean Martin: Alright, we're rolling. And here we are, we are reported live from RSA Conference. That's right. Here in San Francisco, I'm Sean Martin, and uh, you're very welcome to a new On Location episode. Uh, just myself, Marco's not with me, he's, he's back behind the scenes working on some things.
I get to have a nice one on one chat with Cassie Crossley. Cassie, welcome.
[00:00:26] Cassie Crossley: Thank you. Thank you for having me here in this wild crowd.
[00:00:28] Sean Martin: I know, it is a wild crowd. It's a good day and I keep seeing faces walk by that I recognize. Yes. The hugs are countless at this point. Yeah, that's right. And, um, so you've been on the show before.
We had a nice long chat about your book. Yes. Which is all about supply chain. We'll talk about that in a second. Um, so I encourage everybody to listen to that. Um, I'm interested to get your thoughts. I'm going to ask you to give us your perspective on what you're hearing, what you're seeing with respect to supply chain this week, and we'll get into that, but first a moment to share with the audience who Cassie is.
What are you up to?
[00:01:02] Cassie Crossley: All right. Well, um, I have been with Schneider Electric. We're a large multinational company headquartered in Paris, France. I've been with them for 14 years in various roles in the cyber security team for approximately nine years, both on the cyber side, but also product security side.
And, uh, I work with a lot of suppliers. We have over 54, 000 suppliers. And, uh, large customers, critical infrastructure, all sorts. And so we're really focused on product security and supply chain security. So last year, I moved specifically into a role on supply chain security. Uh, which, uh, was right in line with the work that I was doing, uh, for secure development and software security.
But also focusing a lot on hardware security, too.
[00:01:49] Sean Martin: Because you didn't have enough going.
[00:01:50] Cassie Crossley: I didn't have enough, yeah. There's still the
[00:01:52] Sean Martin: hardware stuff in there too, which obviously is a big, big piece of what Schneider does. Yes. I'm actually going to kick it off with this question, because product security, supply chain, providers, and then there's third party risk.
Yes. I'm just wondering what your view of these things are, because then there's open source, which is outside of that. Anything you might build, maybe, who knows, maybe you're building open source as well that you're sharing with the community. How do you view those parts? Because some are tech driven, some are risk driven, of course you have procurement involved, and then you have your, you're delivering stuff to the market as well.
[00:02:36] Cassie Crossley: Yeah. Well, years ago, when people heard supply chain, they thought physical, right? And logistics and things like that. And then software supply chain became to sort of not known. And you can also use the word security directly as an overriding function, right? So you could be maybe created a business, or maybe creating a company that was just open source, and you were thinking about creating the install environment, and then maybe you have some sort of cutoff chain?
Or can you build something that tests that, you know, can you test that, you know, that information and, you know, test it so that you can say, okay, the data is in the source, and and all of that. And I had actually worked with, uh, AppSec leaders, application security leaders, to create a digital book, and I said, I want to write about software supply chain security, and they were like, well, tell us about that, what is that?
And I was like, well, you know, and I go into the background of all this and how key it is, that you're not only thinking about from a developer mindset, but everything that you build into it. So there's even logistics, when you think about physical logistics. IOT products and OT products. There's a potential for integrity challenges and, you know, uh, how do you make sure it stays the chain of custody which we've dealt with supply chain for years.
But when it comes to software, the same kind of thing. And this was pre SolarWinds so I had recommended I want to write this chapter. So by the time we released it, SolarWinds had happened and all of a sudden it became a big, you know, big thing that people started to recognize that term. and With the overall discussion, and now there's vendors that are doing this software supply chain security, not only on the cloud and DevSecOps side, but also at all parts of really the dev cycle, and I really try to promote.
It's not just at that point. It's not a developer problem only there can be, of course, situations like solar winds where somebody compromised that environment. Uh, but you also have to think about the people that are involved. You have to consider, um, all of your suppliers. We're seeing every day, you know, third party suppliers being hit, and that can compromise, uh, the pipeline, which is much bigger than just, uh, dev centric, um, area.
And so I really, I'm impressed with the growth that has been going around, uh, but it's still not enough. We don't, we're not providing transparency. They may not even know all their suppliers. We just saw an ex Z backdoor that was in open source and that's happening more and more every day, their right targets.
And does the average developer, are we doing enough at other conferences and other places Right. To bring up this, uh, topic? So when I talk with procurement, they understand a little bit about cybersecurity, but I wrote the book so that they can understand the bigger picture. When we're assessing suppliers, we may only be assessing them.
Do they have a ciso? But you really want to say, do you also use secure development and things like that in building all of that? And most of the time we're not asking those questions, or they don't even know how to assess if the answers are any good.
[00:05:53] Sean Martin: Don't get me started on spreadsheets,
Cassie.
Um, I want to bring in the concept of corporate security as well.
Because my perspective is that corporate security Security also has responsibility for product security and not everybody does the third party risk and certainly the bigger supply chain view as well. Your view on that role, should some things kind of be separated out to really get a nice strong focus?
Obviously the bigger the company, the more chance that happens, but what are your thoughts on that in general?
[00:06:38] Cassie Crossley: Well, I think, uh, I think it's partially education. Um, when you're looking at, uh, when you're coming at it from one view, especially a lot of those in IT and network security, uh, they haven't been developers, they don't understand, um, what to consider, but also when they're actually looking at it, I think it's, some of it goes back to the old conversation, what we used to, you know, uh, talk about all the time, business continuity and disaster recovery, and that they understand that.
Now a lot of people are, you know, using the term resilience, and they're not really, uh, addressing that when they're making decisions from a corporate security standpoint. They're looking a lot at the threats, but not at being proactive and looking at the risks up front, like, what happens if Microsoft Teams goes down?
You know, you can't even run a war room. on the fact that, you know, this might be compromised and, and you know, it's one of your key assets for, in the company and one of your crown jewels. So there's a lot more to go to discuss that on the resilience level and it, it's not, you know, it's from a third party risks standpoint, it's, well, this could happen while all of these things could happen and how do you address it?
Sometimes there's not a way to even be able to cover the resilience in that area. And that's where, from a cyber security, they need to be talking more with enterprise risk management and understanding the business. Uh, I'm still seeing a lot of companies not, you know, it's a separate, this is a technical discussion and that's not the case.
You really have to know what's important to your business by understanding the risks, um, through the whole, um, business pipeline. And we, speaking of pipelines, we saw that with Colonial Pipeline, right? I mean, it was the same kind of thing. Look at the impact that it had. And so that's where Cyber needs to think more about expanding, because they understand threats and risk, but they're applying too much of a technical lens to it.
[00:08:41] Sean Martin: Ah, I'm sad to hear that.
[00:08:43] Cassie Crossley: It, yeah.
[00:08:44] Sean Martin: Because I, all week, and even leading up to the conference as I've been chatting with folks, resilience has certainly been a common thread, and I had a sliver of hope. That, that meant we would look at things, the other thing I've heard is kind of the, probably everybody listening is like, you keep talking about this, but the CI role, CIO role, the CISO role, kind of coming together and the CIO kind of leading the charge with security, really, really coming to be part of that.
Um, so it's encouraging that I, that I'm hearing that being spoken about. I'm not quite convinced that it's actually happening.
[00:09:31] Cassie Crossley: Yeah, it's, it's really not. I mean, I come from some six segment background also. And as that, you're really looking at the whole business process, so business process management.
And even CIOs and being in that field, they're not always tuned in either to what's key. They know where the money is spent. But sometimes the money is is not as high dollar, but yet it's one of the most critical functions in the company, and they don't realize it.
[00:10:03] Sean Martin: Are we overthinking things? Or are we making it too complex?
My view is, you have an IT system, it needs to stay up and running so the water stays clean, or the power stays on. That's reasonably, and see, what are the areas that can impact that? Security is one of those. Right. The systems, uh, denial of service, or the data is compromised, or a sensor is offline, or, it's availability and integrity, and confidentiality may be coming, but it's those two things, and I, I don't know, I think, I feel that when we start talking about security, we just blow it out of the water, and it becomes really complex, I don't know, what do you think?
[00:10:47] Cassie Crossley: And there are other frameworks and things that are really, I would say, expanding it. Uh, when you're on a show floor like this, it's really more about the technical innovation, and we, that's where this overlap really needs to happen more and more, uh, from a business conversation. I think that overall, when you're looking at those and addressing those concerns that you have as a company, uh, this is, it's not just the CIO and the, uh, CISO conversation or anything.
It's really the CEO and the COO. And so there's a lot of conversations in the CISO realm about how to talk to the board. And it's really more about the business capabilities. And that's where you get that CIO and CISO together. And it's really growing from a standpoint of how do I continue to support all the revenue pieces?
And you know, what's What's my key driver, uh, on all of that? You should be able to, I know it's sort of, again, old, older thought, but really tie all those objectives in. Um, and it's not about, well, how many people have endpoint protection or anything like that. It's, you know, what's the impact? And the estimated maximum loss are those kind of risks that you might want to think about if something happens in that event.
And so I think that there's areas, I've been working a lot with them. Uh, different customers, even like I'm, I'm on the technical side, I'm working on the software bill of materials and all of that, but it's so that they have that visibility and they can make the risk decisions. I don't know if they have one or a thousand of those products, but they need, but they do.
And so do they want to be able to, uh, prioritize, you know, this information so that they can address the risk. And that's where we need to bring this a lot more together so that they can. Everybody is aware of more of their footprint, and things are right now hidden behind the scenes, and we need to bring it more up front.
[00:12:58] Sean Martin: Up front, I love it. What's um, let's check the time here. We um, what are you hearing here in relation to this kind of conversation? Do you, because I think if security could speak to the business, they could speak, not just risk, but to the availability. Safety is a big thing when you start looking at some of the critical infrastructure.
We haven't touched on OT yet, really. Right, right. Um, what is, what is some of the conversation? I know you're, you're, you're able to have book signings.
[00:13:37] Cassie Crossley: Yeah, yeah, I've got my book.
[00:13:38] Sean Martin: I know, I love it. Do people comment on where they think things are heading? Are you inspired by something? Yes. Or worried by anything?
[00:13:48] Cassie Crossley: Yeah, I mean, so I mean, this year a lot of conversation is on Gen AI, and I've been asked quite often on, uh, how it applies to software supply chain and those areas, and my response is, well, of course, people are going to leverage it for, you know, nefarious purposes, but we and the overall industry should be able to make better use of making quick decisions using AI driven decision making.
I've seen in the, I've seen more than just in name only because we see it plastered everywhere.
[00:14:25] Sean Martin: The plus AI.
[00:14:26] Cassie Crossley: Right, right. But it's definitely starting to make a difference where it's decision making and uh, speeding up. You really want that efficiency. So any technologies that can drive efficiency and less false positives.
Custom words are going to, I think, over the next two years be more proven out. And that's what I want to see. I don't think in this case, like we saw with blockchain or some other ones, I don't think it's exactly a buzzword. Because we've done machine learning, but with the capabilities now, um, you know, especially on the AI set, being able to have it learn your own business and And at least do some of the basics.
We're seeing this a lot in SOCKS.
[00:15:13] Sean Martin: Do you have an example?
[00:15:15] Cassie Crossley: Yeah, so in, um, uh, the, with SIMS and SOCKS and event management, um, they're able to, through proper training for your own businesses, because everybody's infrastructure is different, right? Right. They're able to better and more, and more quickly learn and adapt the events to be able to just say, you know, from a behavior analytics, which we used to hear about, it's still the same kind of process.
System to say, okay, this one you can now set a policy. You know, where it actually suggests we recommend this policy to, uh, to be able to be accepted. Because every time you've done this, you know you've accepted it. There's no exceptions that you've done, so we're just gonna make it a standard policy on it, so you won't even have to consider it won't show up at all.
So with events, same kind of thing. I mean, you get millions if you're a large corporation. Millions of events now on your event management system. So. Uh, groups like this are able to read more, you know, more quickly on what it is. And even just, you know, as simple as having a developer, uh, who's managing, or you know, in the DevSecOps or operations environment, uh, instead of everything having to be, you know, gone through a manual set of eyes, it quickly learns and can do that.
Which, we've had it slowly where you have to do that, but now it's pretty quick and, uh, fairly dependable. I mean, you can do audit checks. So I'm seeing a lot of that that's going to increase the efficiency because we have to be as fast as, as those that are coming against us and striking. Yeah, so that's been a good conversation.
And I talk a lot where application security folks, where we're using it to drive efficiencies. You know, right now a lot of like Copilot and some of the different tools are being able to generate code. And it still has as many vulnerabilities as if a human generated it. But over time, when you're training them, it's like training, you know, uh, Sue or John right next to you to be improved over time, like a university student up to, you know, now a senior developer, but also be able to give them feedback quicker, like we've seen it over the years where it had to be hand coded to say, here's the reason why, but now there's ways to give them that immediate feedback as it's being developed, so, you know, it's call shifting left, but actually use AI technologies, To be able to improve that.
And as soon as we, you know, with all of that, get better at finding this common weakness, uh, common weaknesses, the cws, uh, and where the things are, we're gonna see like entire classes of vulnerabilities that it's gonna be able to detect like that. So I'm, I'm pretty hopeful.
[00:17:57] Sean Martin: So let me, let me ask you this.
[00:17:59] Cassie Crossley: Yeah.
[00:18:00] Sean Martin: So I have a little bit of insight into some of the hardware Yes. Development of things. And if I'm not mistaken. Maybe it's not called AI, but there's certainly applications that are used to create chipboards and chips. So machines are kind of doing that stuff for us already, right? So it's not, it's not impossible to achieve it on the software side.
Right. So, I don't know, what are your thoughts there?
[00:18:25] Cassie Crossley: Well, um, on the software side, there's so many nuances, right? Uh, when you're doing something at the hardware level or the chip level, you know, there's You've got the con, the concept of, you know, this reactivity or so, there's, there's physics and science and all of that behind it.
Cybersecurity, you know, it's like trying to defend against a thousand attackers within one millisecond. Like there's so many different ways that somebody's coming at you. And so overall, uh, we're, you know, on the hardware side, there's definitely improvements being done. And, and we're seeing that in various areas.
uh, uh, Oh, yeah! right, You already know you can use. This tool with cya. You try really, hard on some hardware that the industry, Um, Is very similar. When, the product develops. You can use the Chat GPT projects. But there's a lot of behind the scenes. rhythm. To be able to verify those hardware, um, pieces. So yeah, there's gonna be a lot of improvements on that side too.
[00:19:35] Sean Martin: I love it. Yeah. I love it. So I wanna give you a moment.
[00:19:38] Cassie Crossley: Uh, yeah.
[00:19:40] Sean Martin: Software supply chain security.
[00:19:41] Cassie Crossley: Right.
[00:19:42] Sean Martin: I loved our chat. Um, maybe a quick word to the audience, some of the feedback you've received this week. I know you've connected with a lot of people.
[00:19:50] Cassie Crossley: Yeah.
[00:19:51] Sean Martin: Um, what, what are you, what are you getting here?
[00:19:53] Cassie Crossley: Well, uh, I think that those of us, especially that, um, come from a, I've met a lot of. Security engineers and those on the development side, and they're really excited to see that software supply chain security, uh, unfortunately for reasons, you know, like SolarWinds, but it's finally getting attention, uh, because those of us that are developers, we, we wanted to be able to spend the time on this kind of activity, and in fact, Microsoft just announced that they were going to refocus and put security first and, you know, ahead of maybe feature sets, That's going to be a big talk.
So I've been hearing a lot about that. In regards to the book, um, I work a lot with startups and other companies and they, you know, they can't spend millions of dollars on security training programs or implement sophisticated GRC governance, risk and compliance controls. And I give 78 controls in the book, like, here's what you should focus on.
This is what's important. Um, this is, you know, how you should work with suppliers. So I tried to put it all in here so that, you know, I, a lot of people, I've been using it for reference. I, I look at it now for a reference to say, oh, you know, let me go back and see, see exactly how I explain that piece. So I, I am getting a lot of positive feedback.
I love it. It's been a lot of fun.
[00:21:16] Sean Martin: I love it. I, I hadn pat on the show once and she said something, I, I think I asked, why did you write the book? And she says, because I have so much here, I want. First get it done on paper. And I can't have that conversation over and over and over. That's right. I needed to scale it.
Here it is.
[00:21:33] Cassie Crossley: Yep.
[00:21:34] Sean Martin: Everybody enjoy.
[00:21:35] Cassie Crossley: Yeah.
[00:21:36] Sean Martin: So, well, congratulations on that. And I really appreciate you taking the time to chat with us here today. Um, Cassie Crossley. Thank you all. Um, oh, he wants you to show the book. Alright. Please show the book. There we go. for that. Producer. And, uh, seriously, thank you so much.
Um, I hope you have a great rest of the show. And thanks everybody for joining us here on location at RSA Conference with ITSP Magazine. I'm Sean Martin. We'll see you around.
[00:22:06] Author: Great. Thank you. Excellent. Thank you. Thank you.