At the moment I am travelling through the Gulf in order to launch the Security Intelligence Report v5 with local data. During one of the discussions today, a question was raised which I was thinking about quite some while (but – honestly - do not have an answer yet): How do you manage the risks in your supply chain? I am not talking about the risks of a supplier not delivering on time. I am talking about the trustworthiness of your hardware and software vendors. There are different things that happened recently that started to raise this question – let me just pick two of them to illustrate what I mean:
- Lenovo ships an update with malware: Things like that happened before, this time it is Lenovo’s turn. I once had a discussion with our former Chief Security Officer. She told me that she was asked pretty often what was keeping her up at night. Her answer was a pretty interesting one: “Imagine us shipping a security update to 400 Mio PCs around the world – and we have a virus/backdoor/Trojan in”. Do you manage this risk?
- FBI and other US government agencies are concerned about counterfeit Cisco routers: This is not only because they want to be legally compliant but who knows what is in these routers and what they record and send when to whom. Do you manage this risk?
I guess if we would think about it in depth, there would be quite some additional areas you would come up with. One of the questions you will definitely put into the comments is: How are we sue Microsoft does not build in some backdoors either? At least here I can give you an answer: We have a shared source program where governments around the world can look at our source code – and they do and governments like Russia certify our products as backdoor free.
But I am more interested to hear whether you manage these risks and how?