i3 - January/February 2021 - 22

ing their controls before they are onboarded. "
Venables, who is also senior advisor of risk
and cybersecurity, adds, " It is equally important to establish an approach of continuous
monitoring to help assure that such control
continues to be in place over the life of the
engagement. " Based on that outlook,
BlueVoyant recommends that companies build
extended cybersecurity relationships with
partners in their supply chains.
" Drive supplier risk-reduction activity by
building constructive support for suppliers
into your third-party cyber risk management
program, " the BlueVoyant report concludes.
" Alert the vendor when new risks emerge and
provide practical steps for them to follow to
solve the problem. "

IDENTIFYING SOLUTIONS

Technology retailers face security challenges on
several levels, says Mike Bergman, CTA's vice
president of technology and standards. He
cites three security challenges for retailers:
● Secure enterprise operations to prevent
fraud or data theft.
● Secure connected (smart home or home
office) devices to handle ongoing internet
access safely.
● Protect consumer privacy in data handling
and policies.
Security is now a significant factor in connected products - and increasingly the companion services - retailers sell, whether
intended for smart home, smart vehicle or any
new digital application, Bergman says. In
addition, tech retailers depend on security in
devices, the cloud or elsewhere provided by
the manufacturer, especially if the device links
back to a supplier's control. And like other
retailers in this increasingly interconnected
environment, technology retailers rely on
security in the transaction processing phase
of the sale, whether it's a point-of-sale terminal in the store or an online sale.
Bergman points out that some solutions are
coming from the top of the supply chain.
Manufacturers-particularly those with attractive ecosystems or cloud-based services-have
developed security requirements for 3rd party
products that connect to those ecosystems or
clouds. Apple, Google, Samsung, Comcast and
other companies are working on various

JANUARY/FEBRUARY 2021

i3_0121_20-23_Feature_CyberSecurity.indd 22

approaches to such full-scale cyber-safe systems, Bergman notes. He adds that
CTA is working with members' cyber experts, with other industry associations
and coalitions, and with the Department of Homeland Security, the
Department of Commerce's National Telecommunications and Information
Administration (NTIA), the National Institute of Standards and Technology
(NIST), and others, to build pathways toward industry-wide solutions.
" It takes a lot of cooperation on many fronts, " Bergman says. " It's more
complicated than one unified effort. " Equally important is consumers'
growing expectation for high " quality, " which includes constant predictable
results when using a connected device. To deliver that level of quality, every
part of the digital supply chain must include security, he adds. (For more
about CTA's new cybersecurity technical standards, see Pipeline on page 13.)

FIGHTING BACK

Security analysts agree that it is " time to rethink " the underlying supply
chain resilience. While blockchain and other digital technologies are cited
as potential security solutions, other approaches for secure protections in
the new ecosystem are also surfacing. From advisory organizations to the
Federal government, countless recommendations have emerged to encourage and ensure cybersecurity procedures for businesses of all sizes.
For example, CISA (the Cybersecurity and Infrastructure Security Agency
within the U.S. Department of Homeland Security) has issued an ongoing
stream of protective recommendations. CISA has put the emphasis on securing High Value Assets (HVA), which will be defined differently at various
organizations. The one constant HVA is " information or an information system that is so critical to an organization " that the loss or corruption of this
information or access to the system could ruin an organization.
CISA has issued operational guidance directives that companies can use,
outlining recommendations to identify and prioritize HVAs in order to build
an assessment of risks and weaknesses throughout a supply chain. The recommendations are available from the CISA website.
Oliver Wyman, the management consulting firm, adds several steps that

I T I S I N N O VAT I O N

12/9/20 3:19 PM

i3 - January/February 2021

Table of Contents for the Digital Edition of i3 - January/February 2021