Chronicle of Supply Chain Cybersecurity Summit Barcelona 2019
The title may seem pretentious, but several of the presentations during the 3rd Annual Third Party & Supply Chain Cyber Security Summit, which was held on 7 and 8 February in Barcelona, have shown the motivation that took Antonio Ramos a few years ago to create the referential of controls and methodology of qualification that gave origin to LEET Security.
Still young, this third edition has had more than 75 participants from 15 countries. With the presence of international companies such as Bank of America, BBC, IKEA, Freddie Mac, KPN, Galp or Swisscom, as well as Caixabank, Santander Group, Banco Sabadell or Amadeus; and LEET Security, which has participated as a sponsor, along with Bitsight, NormShield, One Trust and SIMS Recycling Solutions.
We were especially struck by the presentation of Marc van Kasteren, KPN's Senior Security Officer, whom we did not know, but whose presentation fits perfectly with our motivation. Having already suffered some bad experience, Marc told us that the typical ISO 27001 certification that many others demand from their suppliers, was not of any use to them, since it only proves that the entity has an information security management system , but it does not tell you anything about aspects as necessary as password policies, whether they use or not double factor, the application of patches or the management of vulnerabilities ... in short, something that LEET Security has been saying since our inception, and obviously, companies with more maturity in the risk management of suppliers know very well.
Two of the co-sponsors provide cybersecurity "rating" services. And the truth is that we liked participating with them, since our presentation clearly showed the differences between these evaluations, carried out from the outside based on the public IP addresses of the evaluated, and the LEET Security rating, which examines and evaluates from the inside the procedures and real security measures that are applied in the provision of the specific service, thus providing a real and objective vision of their level of security.
Our exposition was about a couple of use cases. The first is that of a large real estate company that owns a huge amount of assets, and that employs both self-assessment and rating to evaluate its entire supply chain. Understood in a broad sense, which includes both the providers of very different services, as well as the distribution channel formed by companies and small APIs, as well as call centers, which are dedicated to the sale of these real estate assets. The activity and the use of information that all of them do affects the security and business continuity of our client.
The possibility of requesting different levels of security, also differentiated by confidentiality, integrity and availability, as well as requiring either a rating verified by LEET Security for the most critical ones, or a responsible statement with the result of the self-evaluation to the least sensitive, confers our client a unique tool to monitor all of them, with a homogeneous scale that allows them to compare their results and propose the improvements required in the areas where they show some weakness.
The second case was the use that a provider of intermediation services for payments makes of the rating, accompanied by a SOC 2 report based on the controls of the AAA level, to accredit the implementation of the high framework of security measures that correspond to this level, in front of all its clients, also complemented with the mappings to standards such as NIST 800-53 and CCM, thus fulfilling the security requirements of all of them with a single audit process.
If you want us to send you the presentation, click on this link or scan the code below.
A large part of the attendees, with whom we had occasion to speak during the event, expressed their perception that the rating model proposed by LEET Security is the only one that really covers their supervision needs, which, as we say, go beyond of a security management system or the evaluation of the provider from abroad, and as a single entity, without being able to differentiate between the services offered, arriving at the conclusion with which we headed this article: if LEET Security did not exist, it would have to be invent it
For them, and for all: All you need is LEET.
To receive our communications click on this link
You can follow us on twitter.com/leet_security