To assess cyber supply chain assurance, ESG asked 285 security professionals to respond to questions in areas such as:
1. Risk management
- Has the organization experienced any security breaches? If so, what was the impact?
- How would respondents rate the security threat landscape now as compared to two years ago? Do respondents expect the threat landscape to get worse over the next two years?
- How well prepared is the organization for the current threat landscape?
- Is executive management supporting and investing in cyber security?
- How important are IT vendors’ security processes in customers’ procurement decisions?
- Do CIKR organizations audit the development processes of vendors before purchasing IT products? If so, is there a common model for these audits? Are these standard activities and processes across the enterprise?
- Do IT vendors assume any liabilities for faulty or compromised products?
- Do CIKR organizations hold system integrators accountable for the overall security of the systems they design, deploy, operate, and manage? If so, how?
- To the best of their knowledge, have CIKR organizations purchased any counterfeit IT hardware/software over the past 12 months?
3. Software development
- Do CIKR organizations include security considerations in their standard software development processes?
- Have organizations experienced any security breaches related to internally-developed software vulnerability?
- Do CIKR organizations require their internal developers to be trained in secure software development?
- When organizations outsource their software development, are secure development processes a requirement for external outsourcers and contractors?
4. External IT security
- To what extent do CIKR organizations currently open their IT systems to external parties such as customers, suppliers, and business partners?
- If so, how are these relationships secured? Are there formal processes and safeguards in place?
5. The role of the U.S. Federal Government
- Do CIKR organizations believe that the Federal Government should do more or less in terms of cyber security defenses and strategies?
- What specific actions should the Federal Government take?