Okay, so topic for our panel is, within the next 18 minutes, talking about smart sourcing, the key to secure supply chains. So basically, considering more than just quantitative and financial aspects in the supply chain, also adding SVS IT security experts love it, security risk, basically, into consideration when we talk about our suppliers.
Again, to the audience, I think we will have some time at the end for your questions, applies also to the online attendees. But let's jump into the discussion. First of all, Tobias, you already introduced yourself, but maybe Aus, you can give a short introduction.
Yeah, of course. Aus Alzubaidi, I'm the CEO for MBC Group, Middle East Broadcasting Center. It's the largest media enterprise in the Middle East, with dozens of satellite TV channels, video-on-demand production houses. We are into the news, sports, etc. Hi everybody, Sergej Epp. I've just started this week as a CISO for SysTech. So we're a cloud detection response and runtime security company. And before that, I was working for Parallel Networks and Deutsche Bank. Thanks for the invitation. Perfect.
Thank you, three of you. Then let's jump into the first question. What risks do you see in your industry, specifically regarding global supply chains, and how do you differ from other industries? Maybe we start with Aus.
Okay, so we have operations in five continents. And funnily enough, we have been talking with a few suppliers responsible for threat risk management. And we have been told that an average medium to a large enterprise will have 500 suppliers in their ecosystem.
At MBC, we have 15,000 suppliers from everywhere, from robotic cameras controlling the newsroom to media producers. Consider it a combination of Netflix, BBC, Dozen, all into one. So our attack surface is massive, to a level where a single van close to a football stadium can jam the signal to the satellite roaming in the area. As simple as that. So it's a massive supply chain, and we are vulnerable. We are very fragile. We cannot say that we're relying on the cloud entity to secure our supply chain. It's way more than the cloud. It's everywhere.
Physical and digital, there is no barrier anymore. I mean, IoT and IT are converging into one big platform.
Perfect, thank you. So this is one industry. Maybe we directly jump into a financial industry with this question. How do you, or which risks do you specifically see?
Okay, thanks. Maybe two sentences on how I believe about supply chains, or we call it value chains. I have a little bit of a hard time to see in a digital industry, we're not producing anything apart from bits and bytes versus others like automotive or pharmacy really have fantasy to understand what is a supply chain. Because we're buying PCs, we're buying software, and basically this is our, so to say, our tools. And you don't want to hopefully understand where your laptop or where your server is produced, and what is the RAM and whatever is in, and so it's also for software development.
It would be nice. So that means that perspective, actually, we still struggle to define it for us. And we don't want to open the cans or the elephant and ask them to, invite them to join our questionnaire with the family, okay? Then we're getting them out. Difficult from my perspective. But from a risk perspective, I see it as a, I call it follow the sun risk for us, okay? And that basically is something similar what cloud strike happened a few months ago. So if really it starts somewhere, and it's basically come swapping, making its face through the whole world.
Yeah, I think that's something which I see. And if you want to be very concrete, I see still the quality of software. So the software development quality, which we buy, is still a challenge because it leaves with us the liability risk and the patching risk, which is one of the key vulnerabilities organization face. And that's the way how I would describe it. Thank you.
Sergey, how can companies balance regulatory requirements? So Tobias talked about this too. Dora and specifically, and how can we deal with something like that and the flexibility we need here? So I think the question is just really who is dealing with regulatory requirements. And I see also always compliance and regulatory requirements as something which is just trying to enforce and accelerate correct security, right? And with a supply chain, perhaps just to comment back as well on the question before, with a supply chain security, I think we're facing two big problems.
And now experiencing this for, as a vendor, because we're not only having internal security with our suppliers, but we also vendor to somebody, right? There's a big trend in the last two to three years that there's a high, first of all, high concentration of focus on the suppliers, first party suppliers, second party suppliers, and so on. I think this is really unfair because imagine our nation state focusing 1000 hackers, not just on 100 companies, but on one company, because they get this the same outcome afterwards if this company is breached, right?
And I think, therefore, this is a big problem right now that there's so much focus right now on specific suppliers, and not necessarily just cybersecurity company, IT company, but it will, I think, propagate as well forward to this other chains. And we need to understand how to deal with this, because this concentration of risk is something we haven't really encountered before. And I'll answer your question, but I think this is just set the rear. And then this asymmetric disadvantage is something we need to deal with as entire industry, right? As an entire ecosystem.
It cannot be just the duty of a supplier, right? Because we all need to understand what are the cascading effects of the supplier being breached in certain areas.
So now, how to deal with regulatory requirements? I think this is really depending on the different entities we're trying to regulate. Regulation is always something which is just enforcing the minimal requirements, right? And then I think it's required. I'm a big fan of regulations, because regulations are the only way to solve societal problems. So if you have, I don't know, health care or police, the only way to regulate it, nobody's going just to see if everybody else is behaving correctly. So we need police, right?
And the same way we need this regulation forcing certain critical components just to be secure. And we need to understand now how much regulation is going towards users, how much is going towards suppliers, and how do we enable those suppliers just to be accountable for that and being transparent for that. So it's not an easy to solve question, but I just give this question back to the audience. Who of you believes that you have one single application, at least one, running in production right now, being bug-free?
Now, you're a former verification guy. Perhaps you know one. Don't be shy. There's not a camera in the direction of the audience. So if you have one, let me know. One single. And I doubt that anybody would do this commitment, because 80% of the source code is open source. It's a code we don't control. It's a code which can always propagate vulnerabilities. And in fact, it's all of us. So we need to assume bridge, right? As suppliers, you need to assume bridge as customers. I think that's the question, how to deal with this problem as best as possible.
So from the other side, so not the vendor perspective, how would you answer that question? Okay. I would say one size does not fit all, as simple as that.
I mean, we love regulations as well. I agree with you, Sergey. But it's covering the bare minimum requirements.
I mean, what you need, judging from your experience with SOC2 and ISO, you have the stamp, but it's not good enough. I mean, I would say you have to meet regulatory requirements.
Yes, make sure you have a practice in place. But you need to utilize automation. You need to utilize AI.
I mean, we have started doing what you guys are doing, guys, manual questionnaire with 300 questions. But when you're dealing with 10,000, 15,000 suppliers, it's impossible to manage. So you need first to have complete visibility, bare minimum. Then you have to start assigning priorities for critical suppliers.
Out of 20,000, maybe you are relying on 100 only. Those can break down your value chain.
For those, it has to be a combination of Excel sheets, surveys, and then automated scoring card system, honestly. It doesn't work any other way. You have to act as an attacker, attack the external surface, check the dark web, breach forums. It has to be a comprehensive program. So regulations, yes, it's bare minimum, but you have to do your own due diligence. It doesn't work any other way. Perfect.
Tobias, coming back to the main topic, like smart sourcing here, what priorities should be set when working with partners at different levels of cybersecurity maturity? What is your experience here? I think the key thing is that you see this relationship as partnership. It's not working with a service provider relationship or this kind of vendor thing, right? Google is not a vendor or supplier. You cannot solve this one-to-one relationship when you have one wing, right? It's not going to happen.
Especially, and there are multiple reasons for this, because you have small and medium-sized companies and we are all built, the majority of our services are coming from small and medium-sized companies. And they are small. That's why they have fewer people. But they have maybe not the money, to secure, because they maybe don't even have an IT or limited IT. And on the other hand, these regulations, they are written from a one-to-many perspective. They say this enterprise must ensure that all this relevant supply chains are following the enterprise's point of view.
But from a partner perspective, they have hundreds, they have thousands, and they have really a lot of parties, partners as well. And they cannot implement the requirements of 20,000 customers. So it's not going to fly. It's an end-to-end relationship. And it's not flying from a monetary perspective, right? If you have a contract for 100,000, you cannot, if you ask a partner to implement, to run a cybersecurity program for 10 million, they're going to rather go for exit, as I showed you. The number was number eight. They cannot afford it. That means partnership is key, or understanding.
Then actually you can say, let's work together and to overcome basically the lack of consistent requirements globally. Everybody has its own control framework. Everybody has different regulations. You read the door and you have no clue what you're talking about, what you need to do. So does the others as well not. That means you need to define it in cooperation and find a level where you can live with. And I get what you said under the self-server trust, but I believe that we have to have certain trust. And because otherwise you cannot partner and you cannot solve the problem.
I get it from a regulation perspective, the idea, but when we had just a chat before, when you now have DORA and DORA is not saying, oh, you cannot trust your partners anymore, but they also saying now you cannot trust your employees anymore. That's why they're introducing the requirement continuously background screening of your people. Okay. This is insane. I get it from a military standard perspective, but I'm not getting it from a worker council perspective in Germany. Definitely. Yeah.
And, and this is just one of the 1,400 where you can say, okay, fair enough, but not apologize for not getting it. Okay. We cannot. So very different situation. That means we need to help ourselves and move away from not trusting.
I mean, from moving into partnership. And I think then we are on the right track.
Good, good point, Sergei. Anything to add?
I mean, yeah, yeah. Fully agree with you. I think like the zero trust part is definitely on the technological level, right? And perhaps just a comment, like what are best practices going to look like for third party risk management? We always talk a lot about, hey, let's try to get visibility into vendors. Let's try to understand how secure they are and so on. I feel we need to expand that, right?
To me, the first question is first of all, to try to understand your vendors. And I really liked this breakdown of the vendors. Who are the most critical vendors for you? And you focus just on the most critical and treat them differently than everybody else, because again, cybersecurity is a risk topic. So 95% of all the companies that they don't put priority, you know, as a most important thing, because it's simply not a business priority for them.
And you cannot very often change that, but focus on this critical partners where you feel that could be a big impact if they are going to be breached. Second, try to understand and get more visibility into how secure they are. This will be always limited because it's a black box, right? Questionnaires are always a black box.
I mean, I have to answer a lot of questionnaires. I send in questionnaires. I'm assuming both is 10%, 20%. Let me be just very extreme here.
Correct, right? You have to verify everything, but this is how you establish discussion. And this counts more than what this answer is going to be on the questionnaire. So really love this partnership talk as well. And then third part, that's what we're not doing at all, is really, how do you secure these partners? So if you're running SolarWinds, if you're running Teamware, for instance, in your environment, how do you build controls around that to ensure if they are breached that you can still survive that? And that's where Zero Trust comes in, I guess. Definitely.
So in respect to the time, those 20 minutes always fly that fast. It's incredible. I announced at the beginning also the audience is able to ask questions. Do we have any questions from the audience to the three experts here on stage?
Ah, Berthold Kerle himself. I like that notion about partnerships. The question I have is, how many companies are really able to establish that kind of close relationships? That's the first part of the question. And second part, wouldn't that also to some extent poison the system? There's also a danger that it slows down innovation because the smaller start-up-like organizations who have not that backing of lawyers and the holding perspective, they're actually not being inter-governed whatever, because they are being provided kind of governance around that.
Okay, so who wants to answer? I'll go first. Very good question.
Thanks, Berthold. So the first one is, I think it's a journey as well. It's a journey to build partnerships in your long-lasting and newly established relationships. We are trying to, but obviously I wouldn't say that all our relationships are partners. Even though we try, they were also sometimes challenging. Let's face it like this, okay. But I guess it is part of the set, let's say for the next few years, to establish partnerships and trust. What was the second question?
Sorry, it's innovation. Yeah, I think this is one of, I believe, one of the risks which we have, especially now with coming with DORA, that especially Germany is built on low and medium-sized companies. Our wealth is built on those.
And you, as we also did this, we did also some exits because we could not, let's say, deal with such an exposure. But we could also not help. That means I definitely believe, or I feel that these regulations impact our ecosystem on small and medium-sized companies. Because if you have companies who cannot afford security standards, the banking standards and our standards, and we cannot bring them up to the next level, we either pay them via higher fees or we accept it.
But the penalties are so incredibly high that you need really to think twice whether you can basically deal with a partner who has a reasonable security standard, but does not meet your requirements, and hence you cannot accept. That means it leaves you with an exit. Perfect. And then maybe also… I mean, it's not easy, but it's a give and take.
I mean, it's a partnership. But what I have noticed that works really well is sometimes with smaller partners, you take over the security practice, as simple as that.
I mean, as a cyber professional, you cannot be a business blocker. You have to be an enabler. So funny enough, a couple of weeks ago, I had a chat with the CEO of Apple, a $3 trillion company. I asked him a specific question, how do you manage your supply chain? And he said, we are out of 25,000 suppliers, we have 220 critical suppliers, and we meet those on a bi-weekly basis.
Okay, perfect. Sergei, do you want to… No, I think that's all set. And I would say thank you very much, almost on time. Appreciate that. Thank you very much for your insights, for your open answers. And thank you.
Thank you, Tobias. Thank you, Aus. And thank you, Sergei.
