Government and private sector experts discussed the extent to which zero trust cybersecurity principles ought to be applied to the larger problem of achieving better supply chain security at an Oct. 26 event organized by the Atlantic Council.
Virginia Wright, a program manager at the Energy Department’s Idaho National Labs organizations, talked about the importance of how organizations implement zero trust security architectures, and how to identify the extent of implementation for mission success.
“We can start on the journey to zero trust very easily, but quickly, it tips up and becomes more difficult,” Wright said. “So I think, like anything complex, we’ve got to figure out what part of that problem we want to solve.”
“It’s so important to leverage the idea that … I don’t need to implement zero trust for everything all at once,” she said.
Danielle Jablanski, a nonresident senior fellow at Atlantic Council and OT cybersecurity strategist at Nozomi Networks, talked about how organizations should try to define goals for how much security they are seeking, instead of being overly prescriptive with zero trust and other cybersecurity measures.
“I think the bigger issue for supply chain risk management is where to end, [and] what does enough look like,” she said. “We don’t want the government to be overly prescriptive about governance regulations and standards, but we do want to understand how to get these things done.”
Bryson Bort, also a nonresident fellow at Atlantic Council and CEO at Scythe, discussed the need for vulnerability management in supply chain security, especially on the procurement side of the equation.
“Vulnerability management is a gigantic, key part with procurement,” he said. “What are the communication requirements for vulnerability from your vendors? What are those expectations [and] how you receive those communications for it,” he asked.