What We Must Do To Create Nationally Secure And Resilient Supply Chains
An Interview with David Leichner
The cascading logistical problems caused by the pandemic and the war in Eastern Europe, have made securing a reliable supply chain a national imperative. In addition, severe cyberattacks like the highly publicized Colonial pipeline attack, have brought supply chain cybersecurity into the limelight. So what must manufacturers and policymakers do to ensure that we have secure and resilient supply chains? In this interview series, we are talking to business leaders who can share insights from their experiences about how we can address these challenges. As a part of this series, I had the pleasure of interviewing Tia Hopkins.
As eSentire’s Field CTO and Chief Cyber Risk Strategist, Tia Hopkins is focused on engaging with the cybersecurity community, providing thought leadership, supporting strategic customer and partner engagements, and working closely with the sales, marketing, product, engineering, and customer success teams to drive security outcome-focused initiatives. She has more than two decades of experience working in various IT and IT Security roles, with over ten of those years spent in the managed services space. Outside of her role at eSentire, Tia is an adjunct professor of Cybersecurity at Yeshiva University, a LinkedIn Learning instructor, and a writer, currently authoring her second book. She is also the Founder of Empow(H)er Cybersecurity, a non-profit organization aimed at inspiring and empowering women of color to pursue cybersecurity careers, as well as a women’s tackle football coach. Tia holds a B.Sc. in Information Technology and a M.Sc. in Information Security and Assurance. A lifelong learner, she is currently pursuing her PhD in Cybersecurity Leadership as well as her Executive MBA.
Tia was recognized by SC Media as an outstanding educator in 2019, and in 2020 she was awarded The Software Report’s Top 25 Women Leaders in Cybersecurity and the Cyber Defense Magazine’s Top 100 Women in Cybersecurity. In 2021, she was named a top global influencer in the Security Executives category by IFSEC Global, and this year was recognized by Dark Reading as #1 on the list of ‘8 More Women in Security You May Not Know, but Should.’
Tia contributed a chapter to the book The Rise of Cyber Women: Volume 2 in 2021 and co-authored ‘ Hacking the Cybersecurity Interview’ with Ken Underhill and Chris Foulon, which is currently available for pre-order. She is also the Founder of Empow(H)er Cybersecurity, a non-profit organization aimed at inspiring and empowering women of color to pursue cybersecurity careers.
Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?
There are so many directions I could go with this one, but to set the stage a bit for how I became the security practitioner and technologist I am today, I’ll focus on my childhood from the perspective of my general curiosity and desire to understand how things worked — the mechanics and technology behind it all. My mother gave me my first computer at age 12, and instead of holding our landline hostage and immediately connecting to the internet, I took it apart. I was absolutely fascinated. My mom, on the other hand, was not amused. So, needless to say, at the age of 12, I also assembled my first computer.
As I got older, I was considered a “nerd” because I was interested in things that none of my peers were interested in, and I communicated in a way that most of my peers couldn’t relate to. I cared about math club and other academic after school activities instead of parties and having a social life. I also grew up in the south, and I didn’t have any mentors or examples of what a career in technology could look like. I was enrolled in honors and AP classes, and I was the only black person in all of them. This made me stick out like a sore thumb — too white for the black people, too black for the white people. It was a pretty interesting way to grow up.
Can you share the most interesting story that happened to you since you began your career? I probably tell this same story every time I’m asked this question. Early in my career, I was upgrading the storage on an Exchange server for a financial institution. Part of the upgrade required that the RAID controller be replaced, which is basically the brain that tells the hard drives how to perform. Long story short, the server would not recognize the card. I called tech support and the technician advised me to delete the configuration of the current RAID controller and retry the install. Here’s where things get interesting. Not only did the new controller still not install, we could not rebuild the current controller, which meant the hard drives containing all the client emails were rendered useless. I consider this the biggest heart attack moment of my career. Not a failure, however, because it changed my life. The recovery process was absolutely horrible, but I learned a valuable lesson. ASK QUESTIONS. Especially if something doesn’t feel right. Don’t assume someone has all the answers simply because their title or where they’re employed says they should. These days, I’m quite inquisitive, to say the least.
You are a successful leader. Which three character traits do you think were most instrumental to your success? Can you please share a story or example for each? My three core values align with the letters in my first name, T-I-A: Transparency, Integrity, and Authenticity. I consider myself a servant-leader, and a transformational leader. It is my role to ensure my teams have the resources they need in order to be successful. It is also important to me that members of my teams feel empowered and comfortable with being innovative and creative. Diversity of thought is critical to an organization’s success, innovation capabilities, and ability to maintain a competitive advantage. I want my team members to feel valued and to fully understand their contributions to moving the company forward. My goal is to groom and coach them to be talented enough to have a successful career wherever they choose, but to foster a positive, inclusive, and encouraging environment that makes them choose to remain with my company and team.
Are you working on any exciting new projects now? How do you think that will help people?
I’ve always got something in the hopper! On a personal level, I am currently pursuing my Executive MBA and Doctorate degrees. Professionally, I recently co-authored my second book (Hack the Cybersecurity Interview), will be kicking off a third soon, and I recently launched a LinkedIn Learning course (“Building Your Cybersecurity Talent Pipeline”), which encourages security leaders to restructure their security teams to make room for more entry level or junior talent.
Professionally, I’m very excited about eSentire’s recently launched podcast, Cyber Talks, which delves into the world of the latest cyber threats that are impacting businesses globally. The first episode features an ‘Office Hours’ which answers questions from security leaders who are establishing their cybersecurity program strategy. I’m also actively involved on the security advisory council within the channel community and serving on the advisory board for The Channel Company inclusive leadership network.
Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. In order to ensure that we are all on the same page let’s begin with some simple definitions. What does the term “supply chain” encompass?
The most simple definition I can come up with for ‘Supply Chain’ is everything involved in the production and sale or distribution of a product or service. This could include people, processes, technology, companies, etc. Essentially, it encompasses raw materials being supplied to a manufacturer, goods or services being sold to a consumer, and everything in between.
Can you help articulate what the weaknesses are in our current supply chain systems?
It feels strange to say, but the very nature of the third party relationships required in supply chain management and activity present the greatest weakness, in my opinion. It’s almost like we have to settle for less than best practices when entering into these relationships. For example, security leaders are tasked with being proactive, maintaining the highest level of visibility and control in their environments to balance security and functionality, as well as align with business objectives. Security leaders and their teams must also continue to manage risk, which from an internal perspective means identifying and minimizing the impact of organizational risk.
When a third party is introduced, organizations are placed in more of a reactive position, relying on attestations and details from the supplier regarding security posture, policies, etc. Visibility and control becomes drastically reduced and the ability to mitigate risk on behalf of an external entity is certainly not common practice.
Can you help define what a nationally secure and resilient supply chain would look like?
This is a tough question, but I’m going to back into what will likely be a bit of an unconventional answer. The challenge with supply chain as it relates to security and resilience is that we don’t know what we don’t know — the same issue that keeps many security leaders up at night. It’s the variability, uncertainty, and unpredictability that exist within the supply chain that makes it such a challenging and complex problem to solve.
My question is, is it realistic to think that we can develop a nationally secure and resilient supply chain? Or is the reality that organizations should become more secure and resilient — ready for anything, to my earlier point. Let’s consider for a moment the real issue: Is our biggest concern the fact that supply chain attacks occur, or are we more concerned with the damage that occurs as a result of the attack?
I don’t think we’ll ever be free of supply chain attacks, but we can become more resilient, which will limit and eventually minimize the damage. Then the domino effect occurs: high risk, high level of effort, and low reward for attackers, making supply chain attacks less lucrative, less attractive, less targeted.
My particular expertise is in cybersecurity so I’m particularly passionate about this topic. Can you share some examples of recent and notable cyber attacks against our supply chain? Why do you think these attacks were so significant?
In February of this year, the Conti Ransomware Group — formerly known as Ryuk and one of the longest-running and most lethal ransomware groups out there — claimed that they had compromised international terminal operator SEA-Invest. The Belgium-based company, which operates terminals in 24 seaports across Europe and Africa, handles oil and gas, fruit and food, breakbulk, and dry bulk. The cyberattack against their IT networks critically disrupted services through the entire oil supply chain in areas of Europe and Africa.
What would you recommend for the government or for tech leaders to do to improve supply chain cybersecurity?
Leaders must improve organizational security in general. Again, there is a need to focus on resilience, which by definition (according to NIST) is, “the ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on systems that use or are enabled by cyber resources.”
Ok, thank you. Here is the main question of our interview. What are the “5 Things We Must Do To Create Nationally Secure And Resilient Supply Chains” and why? I think adding a fifth step to the NIST definition of cyber resilience — “the ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on systems that use or are enabled by cyber resources” — is the answer here.
Anticipate — Be proactive, control the controllables, address the ‘known knowns’ along with the ‘known unknowns.’
Withstand — Continuously improve detection and response capabilities, and outsource where it makes sense. Have a ‘ready for anything’ mentality, account for the unknown, and minimize the impact to the business. Not all risk can be avoided.
Recover — Continuously develop, test, and improve the incident response plan.
Adapt — Conduct post-mortem analyses to identify lessons learned and make appropriate people, process, and technology changes, updates and implementations.
EVOLVE — Security programs cannot remain static; they must continue to evolve, just as the threat landscape does.
Are there other ideas or considerations that should encourage us to reimagine our supply chain?
As an industry, we’ve done a pretty good job of reshaping our approach to cyber risk management and accepting the fact that prevention technologies are not enough. Today, more organizations are accepting the probability of a breach as a harsh reality and are placing more emphasis on detection capabilities. The challenge is that supply chain/vendor/third party risk can be a bit of a black box and often organizations are unaware of potential risk until it’s too late. For this reason, resilience should be the mindset or focus of internal security teams. At this point, prevention and detection capabilities should be considered best practices. Being able to respond and quickly recover helps organizations move toward the necessary, “ready for anything” mentality. Unfortunately, today it’s more of a “ready for what we know we need to be ready for” school of thought — which is dangerous.
Outsourcing security operations, although a bit of control is relinquished, can drastically improve an organization’s security posture and cyber resiliency. Especially when considering challenges such as the cybersecurity skills gap and growing data problems (remote users, cloud, etc.), all compounded by the rapidly evolving threat landscape.
You are a person of great influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. :-)
One of my favorite mottos or philosophies is ‘don’t believe everything you think.’ When I say it to myself, it means a couple of things — don’t get too comfortable and constantly challenge myself and my self-imposed limitations. If I could inspire a movement, it would be for security leaders and practitioners to take a similar approach when managing their cybersecurity programs. Having a ‘this is the way we’ve always done it’ or ‘if it ain’t broke, don’t fix it’ mentality is incredibly dangerous when battling against a threat landscape that rapidly evolves. The reality is, today’s solutions may not solve tomorrow’s problems, so constantly challenging our way of thinking and evaluating whether we’re solving or prioritizing the right problems the right way can drastically improve an organization’s security posture.
This mindset influences far more than security program management. It applies to hiring and retention (structuring teams for talent new to the industry or from interesting and diverse backgrounds), education and training (real-world approaches to curriculum, more applied learning, etc.), and becoming more agile and flexible in general. Overall, I’d like to inspire a movement of innovative and transformational leaders willing to be first, willing to be wrong (fail fast and quickly adapt), and drive the positive change the industry needs as a whole. I played tackle football for 12 years, and my game only improved when I challenged myself to be better and pushed myself outside my comfort zone. The stakes are much higher in cybersecurity than in football, of course, but I believe the same logic applies.
How can our readers further follow your work online?
linkedin.com/in/tiahopkins, @yhopkins, tiahopkins.com
This was very inspiring and informative. Thank you so much for the time you spent with this interview!
Original Publication: Authority Magazine