Cybersecurity Workforce Roundtables Co-Hosted with Washington Business Journal

Check out the article "Cybersecurity and the supply chain – what DMV Business need to know."
(reused with permission from the Washington Business Journal).

Cybersecurity and its connection to the supply chain is every business owner’s concern as hackers increasingly target supply chain weaknesses to infiltrate larger organizations. With the lines between business and personal technology continuing to blur — think social media, smart devices, and remote work — the risk for supply chain vulnerability increases. Whether it’s a mom-and-pop or a global enterprise, businesses are faced with the constant threat of cyberattacks that can lead to costly and debilitating loss.   

Alex Orfinger, market president and publisher of the Washington Business Journal, spoke recently with a distinguished group of cybersecurity experts to discuss what small and medium-sized businesses need to know about cybersecurity and the supply chain, and how to protect against potential threats. The discussion was sponsored by the George Washington University College of Professional Studies, which offers an array of cybersecurity programs from workforce development to bachelor and masters degrees, as well as executive education. Panelists represented a cross-section of industry sectors to include enterprise, government, and academia.   

Participants included:

• Liesl Riddle, Ph.D., Dean, George Washington University College of Professional  Studies;

• Scott White, Ph.D., Associate Professor, Director of Cybersecurity Undergraduate Program, George Washington University College of Professional Studies;

• Mike Uster, senior vice president, chief information officer and chief technology officer, ManTech;

• Rear Admiral John Polowczyk (Ret), Government Supply Chain Management lead, Ernst & Young;

• Bob Martin, senior principal software and supply chain assurance engineer, MITRE;

• Kristie Grinnell, chief information officer, DXC Technology;

• Joseph Klimavicz, head of Federal Technology Advisory, KPMG;  

• Dmitry Korolev, principal, Security Risk Management, Verizon;

• Jim Schifalacqua, vice president, chief information security officer, Peraton;

• Robert Tibbs, founder, board chair and CEO, ConSol USA; and

• Racheal Ankrah-Fosu, chief operating officer, ConSol USA.

Caption: At the first Washington Business Journal Signature Event focused on the Cybersecurity Supply Chain are (above left): CPS Dean Liesl Riddle, Consol CEO Robert Tibbs, Consol COO Racheal Ankrah-Fosu and Program Director Dr. Scott White, Cybersecurity bachelor’s degree program. (above right) Program Director Dr. Scott White, Cybersecurity bachelor’s degree program and Jim Schifalacqua, vice president, chief information security officer, Peraton. 

---

Following are excerpts from the discussion, edited for publication.

Why should small and medium size businesses be concerned with cybersecurity and supply chain issues?

MIKE: Cybersecurity has been fundamental to all entities that operate in the U.S. for many years and for businesses of all sizes including those in my sphere: contractors that specialize in supporting government agencies in the defense, intelligence community and federal civilian sectors. Right now, and for the foreseeable future the most important and urgent need is for government – and all those who support them – to adopt Zero Trust capabilities that significantly raise the bar on cyber defenses and the difficulty that bad actors face when trying to penetrate or compromise government systems, networks and devices. We follow a “Proven Here First” approach to all we do, including Zero Trust, before providing to customers.

---

SCOTT: The world is complex and interdependent and threat actors are taking advantage of cyber supply chain weaknesses every day to engage in criminal activity. Small and medium sized businesses are increasingly utilizing the digital world to connect with their customers and suppliers; however, this ultimately increases their exposure to threat actors and cyber-attacks. A successful cyber incursion can have an adverse effect, not only on the business, but also on employees, customers and partners. In the absence of a secure cyber supply chain, the economic security of the nation is at risk.

---

JIM: You can get your own environment in order, and you can take care of the vulnerabilities by employing zero trust. But we have almost the opposite when we talk about supply chain. We have infinite trust in our components and our operating systems, and we’re vulnerable because of that. If you look at the biggest compromises in recent history, it has to do with compromising this piece of the supply chain.  

---

JOE: If you’re a company or a provider that builds products or that relies on other products and other tools to integrate into your own, you’re trusting that those products haven’t been compromised. The zero-trust model is great, we still have a massive vulnerability in our supply chain, and we need to extend zero-trust into our supply chain.

---

JOHN: A supply chain is a networked ecosystem, and with the advent of industry 4.0, it’s even more connected. In a supply chain risk framework, the cyber piece is part of a bigger construct.

---

DMITRY: With the work-from-home model and developing services and goods versus cybersecurity and risks, how you apply certain controls and measures on the people aspect is an issue. There is no clean-room concept because people work from home. We don’t know what is happening in the developing countries. Impersonation is in place and has been. We just didn’t know about it. The work-from-home model has exposed a lot of risks.

---

What should CEOs be thinking about?

DMITRY: Think about fraud methodologies via cybersecurity methods. 

---

BOB: A lot of the smaller or medium sized businesses aren’t aware of what can happen through their supply chain. One of the things we hope to do with MITRE’s System of Trust™ is give people a freely available public place to read about what could be happening. If something resonates with them, they can dig deeper to learn more.

---

JOE: Look at tapping into government resources intended to protect critical infrastructure and help industry. DHS is very helpful for small businesses, and NSA has their cyber-collaboration center, C3. These are great resources for small and mid-size businesses to tap into. Also, large businesses may be able to assist smaller ones, especially when they partner on engagements.

---

RACHEAL: They first need to understand what their posture is in the cybersecurity game, and how their lack of action can affect other people. Seeing their posture as inconsequential is problematic for everyone. Collaboration is really critical because they simply can’t do it on their own. The use of joint resources and shared resources is the best route.

---

MIKE: CEOs need to make sure not only that their own cyber environments are rock hard and impenetrable, but that every one of their suppliers – large or small, critical or subsidiary – adhere to that same level of commitment. The net principle here: Always use critical suppliers that adhere to this principle. We help suppliers meet their mission-critical cyber needs via specific resources such as a secure cloud environment that is managed for them, or some other onsite capability.

---

KRISTIE: Think about our food supply chain. Think about our power supply chain. Think about all of those things where those supply chains are just as vulnerable as our government’s supply chain. We really need to be protecting what’s down the line because that can change and bring the whole US economy down. Think about how to create an environment across all of those critical supply chains where there is an awareness that cyber matters and that you could be the weakest link. They need to protect against that. And if you need help, raise your hand.

---

RACHEAL: We’ve always thought of industries like financial services and healthcare as verticals, but we now have to break down those silos in the context of cyber and cybersecurity. We can no longer think that “I’m just a Wall Street firm, nothing affects me outside of financial services,” because once we think that way, we’re not able to collaborate in a good way. We’re not able to share data in an effective way, and therefore we can’t actually solve problems holistically. Cyber runs through everything as opposed to being vertical-driven. Cyber underpins everything as opposed to being a piece of everything.

---

How does awareness of the cybersecurity/supply chain relationship stand among the broader business community?

JIM: I think that people have been deadened to it and there’s a question of whose responsibility it is. Every C-suite officer, every person that works within a company, must have an awareness of how each of their roles affect cybersecurity and that’s often missing. When you talk about zero trust, zero trust is typically viewed as an enterprise architecture issue. But we it applies to the entire business operation, and when we do ignore that we give up on ownership of the issues and tackling the risks.

---

BOB: It’s not just an IT issue anymore. There are cyber-enabled capabilities in all parts of our buildings, transportation, cities, and factories. A lot of different areas have been cyberized.  

---

JOHN: There’s this convergence of the chief supply chain officer and the chief security officer because people are realizing that to manage a supply chain in today’s environment with all of the risks, you have to be able to see it to manage it. And to do that, collaboration has to happen.  

---

KRISTIE: We can’t ignore the people aspect of this. People have to have that awareness and understand that all the stuff they’re putting out on social media could allow somebody to be breached inside the one company that’s the weak link in that supply chain. It’s helping people understand that everything they do in their daily life is giving threat actors an ability to get into these supply chains.  

---

How can the academic community and business work together to bridge the awareness gap?

SCOTT: At GW’s College of  Professional Studies, we are uniquely positioned to contribute directly to the cybersecurity community.  By educating business and working directly with our partners we are making a concerted effort to close the cybersecurity awareness gap. We have developed a variety of traditional and non-traditional educational products designed to improve skills and knowledge, and by doing so, we believe we are helping build a more cyber secure America.

JOE: I think data and cybersecurity have to be taught in all [academic] disciplines because bad actors primarily want to steal data, or they want to get access to data. A Cybersecurity 101 type of class, should be taught every place, at least giving people cursory knowledge of the threats.

ROBERT: Let it be demand-led. If you train people to think and be cyberaware, you can really get down on a grassroots level.

BOB: Bake it into the existing curriculum. Everything you train people on, in any organization, needs a little bit of cyber awareness of the cyber supply chain aspects. It’s not a specialty. There are some specialists, but our problem is that most people don’t have awareness about what could be a cyber supply chain risk to them.

LIESL: Our faculty come from industry. They take what they learn and do on the job every day and bring it into the classroom to prepare the next generation for what’s happening now in cybersecurity – and what’s next. Cybersecurity is moving fast, and cybersecurity professionals will need to constantly upskill and reskill to master this ever-changing environment. To solve for this, we have a new program series in development. We are creating online learning modules that can be stacked into microcredentials and into our degree programs. Since our faculty are leading industry professionals, they are well poised to lead the way to ensure our learners are well informed and are well-armed with the skills needed.