At an Oct. 26 event hosted by the Atlantic Council, government and private sector experts discussed the extent to which zero trust cybersecurity principles should be applied to the larger issue of achieving better supply chain security.
Virginia Wright, Program Manager at the Department of Energy’s Idaho National Lab Institute, spoke about how organizations implement zero trust security architectures and how to identify scope of implementation for mission success.
“We can start the journey to zero trust very easily, but quickly, it tips over and becomes more difficult,” Wright said. “So I think, like any complication, we have to figure out what part of the problem we want to solve.”
“It’s very important to take advantage of this idea … I don’t have to apply zero trust to everything at once,” she said.
Danielle Jablanski, non-resident senior fellow at the Atlantic Council and OT cybersecurity strategist at Nozomi Networks, talked about how organizations should try to define goals for how much security they’re looking for, without overstating rules with zero trust and other cybersecurity measures.
“I think the biggest issue for supply chain risk management is where to end up, [and] What does enough look like,” she said. “We don’t want the government to be overly prescriptive about governance rules and standards, but we want to understand how to do these things.”
Bryson Bort, nonresident fellow at the Atlantic Council and CEO of Scythe, discussed the need for vulnerability management in supply chain security, especially on the procurement side of the equation.
“Vulnerability management is a big, core part of procurement,” he said. “What are the vulnerability communication requirements from your vendors? What are the expectations? [and] How do you receive that communication for that,” he asked.