 Hello, I'm Steve Nunn, President and CEO of the Open Group. Welcome to Toolkit Tuesday, where we highlight the various components and leading experts of the Architects Toolkit, a collated portfolio of the most pertinent technology standards for enterprise architects. During the series, I'll be calling on a number of recognised experts who will bring their particular insights on how to most effectively use the various tools in the Architects Toolkit. We'll have a mix of interviews, panel sessions and pre-recorded presentations along the way. While all standards of the Open Group are designed so they can be adopted independently of one another, the greatest value for an organisation can be derived when they're used in unison. The sum of the parts should be greater than the whole. In the Architects Toolkit, we have collated a portfolio of the most pertinent ones for architects, together, all in one place. For most of these tools, certification from the Open Group is also available, so practitioners can demonstrate that they have the skills required and recruiters can take the guesswork out of the recruitment process, all backed up by our Open Badges programme. Architect-Attrition. I've worked many sides of the table as an architect, end user, supplier, partner, client advisor, and somewhere in between. Many times I've witnessed Architect-Attrition. That situation when, let's say, we have a project meeting and one architect from one organisation challenges another or architect from a different organisation with their prowess, their knowledge of technology, their ability to solve the problem and offer, in their opinion, a better way or better solution. The two architects become like headbutting goats, attacking each other, headfirst. It's a glorious display for the onlooker, but it's mutually destructive to the participants and what they're trying to do. So, and like Sun Tzu says, the art in the art of war, let your enemy attack each other until they're weak and then you can swoop in and win the day. My point is, Architect-Attrition is bad for us architects and non-techy foes lie in wait. Welcome everybody to Toolkit Tuesday. Can you believe it's the 14th one of these that we've done today? And great to have you with us today. Thanks to Paul Holman of IBM for the latest in his EA minutes. A great tip there and I can certainly resonate with the butting heads. I've seen it many times. Smart advice. Wait for that to happen and then swoop in when everyone's ready to listen. Great advice. As I said, welcome to Toolkit Tuesday. Glad you have chosen to spend some of your day with us today and I hope wherever you are in the world you are safe and well and our thoughts right now are obviously with the people of Ukraine and we just hope and pray that this will be over as soon as possible. It's terrible what's going on. But we have to proceed with life and with our Toolkit Tuesday. Some of you will be regulars and know this so forgive me but the way that we would like you to ask questions of our speaker today is through the Q&A channel, not the chat channel. The Q&A channel, if you can't see it, if you click the three dots in the bottom right hand corner of your screen you will see an option to click on Q&A and that's how you should address questions, please. That's the way I will see them. And the chat channel, please chat amongst yourselves. We love to hear where people are joining us from today and anything else that you want to communicate with your fellow attendees on this episode. I had a quick look at the attendees before coming on and a shout out to Tony Carrado, probably there in New Mexico. Good to see you on, Tony. And welcome to you and everybody. Let's get going without further ado. Our topic today is actionable supply chain security. Actionable being the keyword. And I love things that actually tell us how to go about doing things. Suggestions for how to do things. Potential solutions rather than just problems. So I'm delighted to be able to introduce my colleague, Mr. Andres Sikal, Vice President and Chief Technology Officer for the Open Group. Andres is a recognized expert on supply chain security, cloud architecture and cybersecurity. He's widely recognized as the driving force behind ISOIEC 2243, better known as the Open Trusted Technology Provider Standard or OTTPS in the open group world. He's also known for his tireless work to establish recognized professional credentials for technology professionals to the creation of the open group, open professions framework. Andres has achieved professional certifications in security, CSSLP, Solutions Architecture, Distinguished Certified Architect and Supply Chain Security, Master Certified OTTP. So we're in great hands today. Andres, welcome, a warm welcome from the Open Group Toolkit Tuesday crew. And I'll turn it over to you, sir. Well, thank you very much. Well, Steve, as we know, the pandemic continues to have a significant impact on the global supply chain. And now, coupled with the unfortunate situation in Europe, we'll definitely see an experienced long-term commodity level disruption now. My prediction is that these supply chain disruptions will actually result in new partnerships and practices that will refactor the global supply chain. We're going to see a lot of changes. And now we know that when supply chain becomes disrupted, it opens up the opportunity for malicious actors and threats. And so our focus today is really real actionable tips to folks like CISO, CTOs and CIOs who are responsible for managing their technology supply chain security. And these tips are based on both my experience working to establish guidance and international standards, but also, too, from a practical point of view, as the Open Groups executive responsible for our own internal vendor management, both as a consumer and a supplier, and our technology security and implementation. So you're going to hear me talk about risk management and risk frameworks, because this is really a threat-based problem. You need to understand what the threats are. We've talked a lot about this in the past. You can go look it up. But you have to have a risk management regime in place and governance in order to actually mitigate these risks. And you can't just simply ask for the vendor a bunch of questions and expect those to translate into medications. Technology is, and those services that supported are sourced globally, that is not going to change in the near term for sure. And consumers certainly rely on those suppliers that are operating globally and sourced from the global supply chain. And all of these suppliers and vendors are integrated into our critical infrastructure government systems and commercial solutions. And we really have to understand those security threats, which are, you know, maliciously tainted products, counterfeit products, you know, those overlapping cyber threats. You don't want another solar winds, right? And you do need to protect the PII and the IP, you know, but these are different protections that you need to put in place, including, you know, protecting against potential insider threats and obsolescence and so on and so forth. So learn the risk mitigation elements of this problem. You know, and I'm sure that folks don't want to say it's complicated, it is intricate. Let's just say that, right? So supply chain security and the scrim landscape is a little complex to understand and get your arms around. And a lot of organizations seem to be, you know, really trying to embrace the idea of, you know, managing a secure supply chain. And that really means managing vendors and understanding their approach to secure supply chain. And so this comes from the QBL guidance, which you can, when you get the presentation materials and at the end, you can click into and access, but you can also just Google it online. And there's lots of guidance out there that should be used. And you shouldn't be coming up with your own stuff so much because the industry needs to kind of come together instead of being disaggregated and necessarily going off and being one-offs. It is very, shall I say, interdependent depending on how you actually perceive your place in the supply chain. You're a provider, you're a consumer, you're a reseller, you're an integrator. All of these different entities are interrelated and you need to understand those relationships in your risk management approach. So how are organizations responding? They're understanding, you know, the SCRIM standards landscape, you know, what's available out there. They're trying to understand, you know, supply chain security in general. They're coming up with their own kind of bespoke implementations in some cases. They're developing supplier risk management frameworks, which is a really good thing. And they're obtaining industry certifications, which is even better and certainly an area that we focus on. And then lastly, this bespoke custom vendor acquisition surveys is certainly not something that I see quite a bit and an element of tip and risk in and of itself that we'll be talking about as we go on. So vendors are creating kind of their own point of view on what questions to ask suppliers and partners as they go through this process. And that's become a little bit of a challenge for all of us. So some tips for understanding SCRIM, it's not the same as cybersecurity. Don't let your cybersecurity folks conflate cybersecurity and SCRIM. The two are different. Although there is overlap, you know, you have to have security in place to protect some of the assets in your supply chain landscape. That's absolutely 100% true. Certainly in the development phases, you need to have cybersecurity in place as well. But cybersecurity is not SCRIM. And so they're different but interrelated. Leverage those standards like ISO 20243. There's lots of guidance out here. This is actually from the CISA qualified bidders list again. And if you notice they're saying, hey, go out there and use OTGPS ISO 20243 along with all of the other NIST guidance, FedRAMP, ISO IC 27000 SOC2. These are all great resources for understanding supply chain risk and establishing the proper risk management practices. Try and use these things because they've, you know, we've spent over 10 years creating them. Look at the, and reference the DHS, US DHS, CISA supply chain security toolkit. There's some similar stuff from the European Union that I've got referenced in the back, but this is actually really good material because it helps with both small businesses, large businesses, and they've got a different perspective for each. And we've been participating in the harmonization of these efforts from the open group. So on the task force. So this is something we're very proud of. And use a framework, a formal framework for risk management like open fare. And I see a ton of folks in the federal space here in the US using fare. So I know it's being used. I see sometimes the terminology being casted in a new light, but that's okay. You know, what they say is, you know, imitation is the best form of flattery. But, you know, look, risk governance and organizational oversight is really kind of goes all the way down to this formal risk management process where you're understanding the impact of risk. You're able to identify it and analyze it quantitatively, evaluate what protections are going to go in place and then, you know, put those mitigations out there and then monitor the risk. And that's true with supply chain security as well. The other thing is definitely conduct three PAO certification assessments. You know, NASA has embraced ISO 20243 and we have quite a few vendors in the hopper. It continues to grow at a, you know, really logarithmic pace as vendors try to really understand how to approach supply chain risk management. And C8 and others have some really great stories to tell about their journey and how it's helped them. So leverage those. Some of that stuff is already online. And then participate in industry work groups and forums. This is a great way to get your basic understanding of what some of the challenges are and do like I do, facilitate, you know, kind of the reverse feedback. So we're seeing a lot of these vendor scrim surveys. I'd say resist the urge to create surveys from scratch. Leverage is kind of some of what's been out there and done already. Otherwise you may be, you know, kind of capturing some of the things that you are personally interested in, but don't really help you mitigate and make decisions with respect to suppliers. Leverage those existing conformance criteria that are in some of the standards like OTTPS. Here's a big one. Ask binary questions. Do you have a risk management program in place for supply chain? Do you protect PII? You know, all of these things, binary questions. Yes or no. And if the answer is no, you can certainly follow back up with them. These are legally binding surveys in many ways. So you don't have to make this a writing exercise. And please, please do not ask open-ended questions where it becomes a creative writing exercise. I have no idea what people do when they get that. I mean, are they like weighing it? Hmm, the pros. I love that. This author really knows what they're talking about, right? No, I don't think that really helps you at all. It might make you feel better. It might make you feel like you're kind of putting pain on the vendor, but it doesn't really actually mitigate the risk. And the other thing is that a lot of us are small to medium businesses, so we don't have the time and the resources to sit around and do that kind of stuff. And this has really been recognized by CESA and DHS in the U.S. federal government space, and they've created an SMB point of view on this. And we are sitting on the task force and the work groups for having contributed to this. This is a great set of materials that I would suggest that you leverage. Don't please do not ask for confidential information or internal documents as proof. No, you may not have them. Not now, not ever. And nobody gets those. I've seen this in the companies that I previously worked for, and I've seen this recently. I don't really quite understand why you would ask for a document that is confidential. And one of the things that, you know, I have seen is that a vendor said, no, we have to have this or we're not going to do business with you. And then fine, what ends up happening is that the lawyers get involved and they define basically the cost back to the requester in a monetary value. And they're saying that if you get hacked and this gets released into the wild, you owe us a million dollars, right? And then what happens is it comes full circle and it goes back up the chain and the other company and they're like, yeah, no, we don't really need to do that. So, you know, don't ask for system security plans, supply chain security assessments, security assessments of any type, reviews, proof of background checks, which I've seen before too. There are global laws that all differ in the case of background checks. Just don't ask for that. It's just not useful. You can ask if I actually have one. You can ask if we do background checks. Those are proper questions. Those are part of the templates. And make those questions actionable. And determines based on data that will lead your organization to a clear decision, please. So some of the tips on standards compliance because there are some, you know, growing number of standards out there. Don't conflate security and supply chain security. The two are not the same. Cyber security and supply chain security are not equivalent. You can actually separate them and treat them differently. But, you know, supply chain security does have some hooks into cyber security. Conduct an internal assessment with a three PAO. This is, you know, really been determined to be invaluable in helping, you know, many companies understand what it means to protect the supply chain and what the risks are. It also becomes a forcing function internally for people to actually really do the risk mitigation piece. Use a formal security compliance assessment framework like FAIR, like OFAIR. That's really important because if you're just making your own up, you're once again not leveraging what has been quantitatively, you know, assessed by all sorts of people, academia and industry. And mitigate risk by applying compensating controls, you know, that don't apply outside of understanding risk. I mean, controls don't apply outside of understanding the risk. And technology architecture does matter and it does dictate security control. So you can't ask me if I do all of 853 because the answer is no, because my architecture is such that, you know, I mitigate these risks in these ways. So asking for specific security controls really is the wrong approach again. We've talked a little bit about this in the past. The SCRIM certification journey is one that is, needs to be formally defined in any organization. It starts with kind of reflection, understanding what the standards are, understanding what the conformance criteria is, getting some consulting, doing an assessment, preparing for a third-party assessment or a self-assessment that's done by different folks in your organization by organizing the material and evaluating your level of compliance and what needs to change programmatically from a business process point of view. And then, you know, properly applying the scope and support as you execute over a period of time. And, you know, look, shameless plug for ISO 20243, you know, these are really valuable documents and certifications that can help you overcome some of these challenges as we move forward in the global supply chain. And, you know, if you want to, and I would invite you to, here's a place to learn, engage and adopt, you know, additionally from the Open Group perspective. I promised some resources. These are all out there and easily Google-able, searchable, all the way down from the CISA-ICT supply chain risk management toolkit to the INSA-EU understanding the risk of supply chain security and their attacks and the UK supply chain security guidance, all really good materials, all really kind of very based on the same thing. They all end up in the same meetings, been there with them. Lastly, the one that I really want to point out is that we need to grow our professionalism in this and I would really invite folks to become open CTTP certified professionals. And that's it, Steve. Those are the tips and I guarantee you that if folks were actually able to internalize some of these tips, it would certainly make my job easier. Yeah, well, I was actually going to come to that and the first question has come in, but thank you, Andras, for that whistle-stop tour and some practical tips on the topic. So as you said, at the beginning, this comes from not just the work you've done in the industry, but from implementing our approach to supply chain security and cybersecurity here at the Open Group. So is there anything that you've particularly learned in the latter case here of trying to implement our policies and respond to the kind of surveys that we get from some of our customers and suppliers? Yeah. It's been an interesting last year and a half and I say, you know, interesting because I get to kind of change the role from, you know, being a CTO and a large company and participating from the technology, you know, manufacturing point of view to being a supplier again, but from a different point of view, but also to, and thank you for giving me the opportunity to be the person who is building out our technology implementation and is responsible for the suppliers. And supplier management is a full-time kind of job for most folks. I mean, you know, in the CIO, CTO organization, because, you know, those folks are so intertwined with your implementation. So, yeah, it's coming directly from our experience with managing our suppliers and receiving copious number of vendor surveys that are now, you know, necessary to conduct business with our membership, with our, you know, folks that are using our services and we're getting to see firsthand just how many different companies, you know, may ask the same question and in some ways, in different ways. And in some cases, the wrong questions or even ask for confidential IP that really shouldn't, you know, will not help them in our assessment in reality. It puts them kind of in a risky position where if they were to lose control of those assets, that could be a problem for them and us at the same time. Yeah, absolutely. And it's, you know, some of these questions that come in, it's a... I know it's a question of having to have the right boxes checked and, you know, and when they're not, when they're not in action or the kind of response that you referred to was, okay, well, we're not going to do business with you. Now, that would be kind of scary, particularly for a small organization, for example, that, you know, can't afford to lose a customer like that, but at the same time doesn't want to disclose confidential details and things that it shouldn't have to disclose. So, you know, you mentioned getting lawyers involved there. Is there... Is there any suggest to maybe a smaller organization without the resources to bring in the big legal guns? So, I do think putting a price tag on those assets if they're lost is important. Right. Look, at the end of the day, I'm going to be very transparent here and say that I have never actually been in a situation in a large company or a small company where the company asking for this information has decided not to do business with us. That just doesn't happen, right? And I've had it happen to me as well where I'm asking for certain information that seems to cross the line of that vendor and I don't get it, but I can always ask, you know, binary questions, I can always ask for meetings where I can ask pointed questions and I can always put T's and C's in the contracts that put penalties in place in the case of a cyber supply chain event that is my responsibility, right? Or their responsibility in that case. So, yeah, there's definitely some things you can do that require you to actually take the risk of getting all sorts of other sensitive IP from your suppliers or vendors. That's a good advice, thanks. So let's make it more nearly out of time but let's make it more more general. You talked about some of the standards and best practices standards and certifications. What are the kind of significant challenges that you see organizations face in trying to adopt those? Expertise. Right. Yeah, it really comes down to expertise. This is a new science and, you know, most people haven't spent the last 15 years of their life working on, you know, guidance and standards. So I would say look to, you know, CISA look to INSA look to the UK supply chain team look to the open group learn from the conformance criteria that's defined in standards like ISO 20243 and, you know, because of lack of organizational expertise, you know, it really becomes difficult to properly articulate and defend in organization selections and applications of control. So you have to build your expertise because if you don't, then you really have no way of applying your risk management framework and you have no way of putting the right mitigations in place and you have no way really of understanding the implications why you're asking these questions in these vendor acquisition surveys. Right. Yeah, no, absolutely. So to anyone to anyone either attending this live now or watching it later, there's in either we're really interested in this field or interested in this field, there's an opportunity there. From what you're saying, there's a shortage of expertise, there are certifications available, there's a real opportunity to become one of the experts. That's right. That's great to hear. Thank you very much. We've got to leave it there to respect people's time including yours. So thank you for joining us and sharing your insights. A question came in. Yes, this presentation will be made available and if you're registered, which you clearly are, if you're attending this, then you'll be notified when that's available and you can go and watch it all over again and those of you who registered and weren't able to make it, then you'll get the chance to see it. So thanks once again, Andres. Thank you. And thank you to everyone to join us. Don't go just yet, just a quick a quick plug for our next Toolkit Tuesday which will be in two weeks time, March 22nd. We will be cycling back a little on some of that. We've got a lot of topics over the last 14 episodes and we have questions coming in and we try and keep these things as close to 30 minutes as we can. We don't always get the chance to go through and answer the questions that get us. So we're going to cycle back on some of those questions and getting answers from the people that presented at the time, either live or they'll supply us with those answers. So join us in two weeks. We may even see some of those people back. We'll do our best to go through those questions and if you have questions for today and you didn't get a chance to ask, then let us know or join then and we might be able to get those answered too. So thank you for joining us. Be safe and well wherever you are and join us next time, two weeks, March 22nd. Thank you for joining Toolkit Tuesday. Bye for now.