Shedding New Light on Software Visibility in the Age of SBOMCenter for Internet Security CISO on 'Transitional' State of Software Supply Chain
It has been two years since President Joe Biden issued a cybersecurity executive order warning vendors that they will be required to submit a software bill of materials to do business with the federal government. But a number of organizations are still not ready for SBOM, warned Sean Atkinson, CISO of the Center for Internet Security.
See Also: 2022 Unit 42 Incident Response Report
With the government set to send out the first SBOM attestation requests this year, the industry is in a "transitional state of supply chain management," he said. Some organizations want to make sure that if they provide the appropriate transparency - including open-source software components - adversaries won't be able to use it against them in cyberattacks (see: Zero Trust: Lessons Learned and Lessons Identified).
"It's very, very difficult because we have such a vast, expansive system, and not everybody thinks about vendor risk management in the same way. It's trying to get everybody to that same level of tolerance," he said.
In this video interview with Information Security Media Group, Atkinson discussed:
- The state of third-party risk management;
- Advice for effective inventory management;
- Tools to monitor and manage vendors and partners.
Atkinson uses his broad cybersecurity expertise to direct strategy, operations and policy to protect the Center for Internet Security's enterprise of information assets. His responsibilities include risk management, communications, applications and infrastructure. Prior to CIS, he served as global information security compliance officer for GlobalFoundries. Prior to that, he led the security implementation for New York's statewide financial system.