When companies buy software, they tend to assume it’s secure – but they shouldn’t. Vulnerabilities in the digital supply chain are the responsibility of both developers, vendors, and customers, but right now cybersecurity isn’t a priority for either party. There are two key miscalculations that are bound up in this: First, that cybersecurity does not directly contribute to revenue and second, that cybersecurity is a feature that can easily be added on later in the project as necessary. Leaders can address this by making security a selling (or buying) point, using security to motivate developers, teaching their developers about security risks, and helping vendors prioritize security.
When companies buy digital products, they expect them to be secure. In most cases, they don’t test for vulnerabilities down the digital supply chain – and don’t even have adequate processes or tools to do so. Hackers have taken note, and incidents of supply chain cyber-attacks, which exploit weaknesses within the digital supply chain to break into organizations’ internal networks, are on the rise. As a result, there have been many headline incidents that not only bring shame to the companies involved, but rachet up the visibility of these threats to top executives who want to know their offerings are secure.
Leaders need new ways to reduce supply chain cybersecurity risks, whether they’re buying digital products and or producing them.
Supply chain vulnerabilities have led to some of the most dramatic cyber attacks in recent years. During the NotPetya cyberattack in 2017, power plants, banks, metro systems, and the world’s largest container shipping company were just some of the victims of malware delivered through the updating process of an accounting software package commonly used by companies in Ukraine. The malware then spread to other systems on each company’s network causing their systems to lock up. More recently, in the SolarWinds attack in early 2021, hackers added malware to software after it was certified as ready for customers. In both of these instances (and many more) nefarious actors used vulnerabilities in the way suppliers connected to systems and set up back doors that could be used to later steal IP, financial information, or install malware that would propagate throughout customer systems.
Often, company culture is a driving force behind vulnerabilities. If you think that you’re not at risk for this kind of attack because your company doesn’t have information or connections hackers could exploit, your vendors have assured you that their systems are secure, your customers have validated that your systems are acceptable, or you haven’t discovered vulnerabilities, you are exactly the target hackers seek when they perpetuate the next attack. Understanding how your supply chain might be a target is step one, and building processes and mindset to protect and defend your supply chain is step two.
Our work on building a culture of cybersecurity offers companies a model for how to develop cybersecure products. Most recently, we studied three large, well-known global companies, looking at both the cybersecurity culture of their product development teams and the management of the security of their digital supply chain. We asked how, as a supplier, they come to understand the cybersecurity needs of their customers, and as a customer, how do they manage the risks that come from third-party suppliers. The data showed that managers often fall prey to counterproductive and possibly dangerous mindsets that get in the way of securing supply chains and leave their companies exposed – and that they’re often taking cues from the top.
Cybersecurity Isn’t Given Priority
Every manager and developer interviewed said that cybersecurity was important and should be designed into products – customers expected it and suppliers felt they should provide it. Even so, neither side took adequate steps to achieve this. That’s because products are usually purchased for the value-added features they provide, not because they are secure.
There are two key miscalculations that are bound up in this outlook: first, that cybersecurity does not directly contribute to revenue and second, that cybersecurity is a feature that can easily be added on later in the project as necessary. In practice, both mean that cybersecurity is prioritized below other revenue-generating features and likely added on later in the product development process as vulnerabilities are uncovered through testing, or worse, by customers when the offerings make it to the marketplace.
Lackluster Cybersecurity Can Hurt Your Revenue
Some executives we spoke with believe that customers will not pay extra for cybersecurity, despite recognizing its importance. They compared this to the tires on a newly purchased car: Everyone expects a car to come with tires and they don’t expect to pay extra because it has tires. As a result, companies prioritize selling points, such as feature sets and speed-to-market, which are perceived to create value for customers, leaving security as a secondary consideration. In fact, the designers in our study – themselves customers of the tools and libraries they use in their product designs – prioritized functionality ahead of security in the components they used.
However, we are seeing evidence that customers are starting to realize cybersecurity is not always guaranteed – and they’re increasingly making it a priority. Failing to meet expectations can hurt your bottom line: As one company we studied discovered, insufficient cybersecurity in the digital offering shuts down conversations with customers.
Corporate customers are starting to more thoroughly vet their software purchases. Some explicitly ask for cybersecurity in the offerings they purchase, requesting proof that the supply chain used to create these purchases has also prioritized security or insisting that vendors fill out complicated security questionnaires. Others include independent security testing as part of their acceptance process. For clients such as critical infrastructure organizations, the military, and financial services, validating cybersecurity of offerings is already a de facto standard. Even for offerings with unique market-desirable features, beefing up cybersecurity before the adoption is often required. In fact, cybersecurity is increasingly built into contracts to hold suppliers accountable for the cybersecurity risks of their products, and by extension, the supply chain used to create these products.
In other words, while functionality still sells products, lax security is quickly becoming a non-starter.
Cybersecurity Isn’t Easy To Add On Later
Despite lip service to security, many software development processes do not prioritize security at the conception stage. Instead, security is considered when vulnerabilities are discovered, and that can be costly. A more troubling approach shared with us was that sometimes leaders thought they need to get a product out fast, even if vulnerable, to remain viable in the market. They decided to release offerings with known security issues, or with temporary solutions and workarounds, to get the product to market. The risk of the vulnerability being exploited is considered low, but the cost to fix it later can be very high. While this might be a good way to meet market timing opportunities, it means customers, and their customers, are left to manage a vulnerability in their supply chain.
But cybersecurity-as-an-afterthought is not easy nor is it cheap. More often it was expensive, if it was even possible, to retrofit cybersecurity into offerings. Cybersecurity-as-an-afterthought introduced additional expense, delays, and potentially complete redesigns. One manager shared the experience of finding a vulnerability and then having to rework the entire offering. There was no simple fix. And once the new design was completed, the offering was no longer economically feasible for the envisioned market.
How Leaders Can Secure Their Supply Chain
To strengthen our supply chains, leaders must address these misleading mindsets directly.
A lingering issue deep in the supply chain can result in costs and threats to the entire supply chain. Leaders have a responsibility to root out security issues and eliminate vulnerabilities so the supply chain can count on cybersecure offerings, even when customers don’t ask for it directly. Here are four things you can do today to strengthen your offerings and the supply chain as a whole:
Make Security A Selling Point
Market your offerings as “designed and built with cybersecurity in mind.” Using cybersecurity as a selling point delivers a powerful message to your customers: that your offerings are better than those without cybersecurity baked into the design, and perhaps more importantly to your product teams that leaders take cybersecurity very seriously. Customers are increasingly focused on how secure your offerings are, and you can get ahead of the curve by making it a feature. In addition, making security a feature in marketing materials also influences your design teams and would go a long way towards creating an attitude of the importance of security in offering designs done by developers.
Motivate Developers To Prioritize Security
Make sure your customers’ cybersecurity requirements are well known to the product designers. In our research, we often heard that designers had never met, nor knew exactly what the customer wanted from a security standpoint. They relied on product owners (often from a different area of the company, such as marketing) to communicate what is needed. It’s easy for developers to become detached from customer concerns and needs. When customers explicitly discuss cybersecurity requirements with development teams, developers will take notice, and this recognition will motivate them.
Another way to motivate the developers to prioritize security is to make security a well-known priority of executives. Once team members know it is important to their leaders, it becomes important to them.
Teach Product Developers About Security Risks
Many product developers, especially the most senior ones, entered the field when cybersecurity was not as serious a threat as now. This is a new world for them. You may need to train product designers to make the right trade-offs about cybersecurity when designing digital offerings. They don’t need to be cybersecurity experts, but product development teams need cybersecurity expertise at multiple levels. Since product designers are there at the conception of the offering, they need to know and believe it’s their job to make basic trade-offs that create cybersecure offerings. To do that, they need basic security knowledge relevant to their offerings, and then they need deeper expertise readily available in their team.
Help Your Vendors Prioritize Their Security And The Security Of Their Supply Chain
Ask your vendors about the security of their offerings and their supply chain. Vet them based on their cybersecurity posture, culture, and prioritization. Show them that it is important to you. Having them complete lengthy questionnaires is one way, but more impactful is an ongoing dialogue about security priority from executives, marketing, product owners, and of course, developers. When developers select vendors, they need to know which vendors are trustworthy and making security a priority. By making cybersecurity a priority for doing business with your company, you demonstrate your commitment to your customers and their entire supply chain.
Trustworthiness is an increasingly critical part of corporate brands in the digital age. Being trusted means that customers believe your products will not only do what you say they will do but do so in a cybersecure way. Trust means that your offerings will not jeopardize your customer’s reputation because of a cybersecurity vulnerability. No one wants to be the next headline about an insecure supply chain vulnerability exploitation. Leaders have a special role in ensuring that the supply chain is as secure as possible, including both the digital offerings they develop as suppliers and use as customers.
Acknowledgement: This research was supported, in part, by funds from the members of the Cybersecurity at MIT Sloan (CAMS) consortium. All authors contributed equally to this paper.
originally posted on hbr.org byKeman Huang, Keri Pearlson, and Stuart Madnick
Keman Huang is an Associate Professor at the Renmin University of China and a Research Affiliate at the MIT Sloan School of Management, where he works on cybersecurity management and policy, innovation ecosystems, and big data analysis.
Keri Pearlson is the Executive Director of the research consortium Cybersecurity at MIT Sloan (CAMS). Her research investigates organizational, strategic, management and leadership issues in cybersecurity.
Stuart Madnick is the John Norris Maguire (1960) Professor of Information Technologies in the MIT Sloan School of Management, Professor of Engineering Systems in the MIT School of Engineering, and Director of Cybersecurity at MIT Sloan (CAMS): the Interdisciplinary Consortium for Improving Critical Infrastructure Cybersecurity. He has been active in the cybersecurity field since co-authoring the book Computer Security in 1979.