The topic of cybersecurity isn't one I've addressed in previous episodes of the Digital Supply Chain podcast so we were long overdue to talk about it.
Consequently I invited Imprivata's Chief Products & Design Officer Mark McArdle to come on the podcast to talk all about it.
He graciously agreed and we had a fascinating conversation covering the reasons why cybersecurity is becoming more of an issue for organisations, why supply chains are uniquely vulnerable, and some strategies to harden them, while also making the supply chains more efficient.
I learned loads, I hope you do too...
If you have any comments/suggestions or questions for the podcast - feel free to leave me a voice message over on my SpeakPipe page or just send it to me as a direct message on Twitter/LinkedIn. Audio messages will get played (unless you specifically ask me not to).
If you liked this show, please don't forget to rate and/or review it. It makes a big difference to help new people discover it. Thanks.
I'd like to sincerely thank this podcast's generous supporters:
And remember you too can Support the Podcast - it is really easy and hugely important as it will enable me to continue to create more excellent Digital Supply Chain episodes like this one.
Podcast Sponsorship Opportunities:
If you/your organisation is interested in sponsoring this podcast - I have several options available. Let's talk!
If you have any comments/suggestions or questions for the podcast - feel free to just send me a direct message on Twitter/LinkedIn.
If you liked this show, please don't forget to rate and/or review it. It makes a big difference to help new people discover it.
Thanks for listening.
It's more and more important that things that drive improved efficiencies are the things that always make it across the, CFO's desk. The things that get approval are things that buy capability back, and it's a double win if you're getting more efficient while reducing risk to bad actors, stealing your data, compromising your systems. No one wants that to happenTom Raftery:
Hi everyone. Welcome to the Digital Supply Chain podcast. My name is Tom Raftery and with me on the show today, I have my special guest. Mark. Mark, Welcome to the podcast. Would you like to introduce yourself ? Mark McArdle: Thanks a lot, Tom. Yeah. I'm Mark McArdle. I'm the Chief products and design officer at Imprivata. And Imprivata is the leader in enabling, controlling, and monitoring digital identity and life and mission cradle in industries. We've, uh, we just celebrated our 20th anniversary this year, and we've learned a lot about how to use digital identity to drive efficiency for users while making them and their organizations more secure. And the supply chain is a key part of our mission to improve the security of our customers' environments. Okay.Mark McArdle:
been working in cyber security since the mid nineties and have seen a lot in those decades have followed, and a lot of the supply chain's, critical infrastructure, and it's been a frequent target by hackers.Tom Raftery:
Okay, and what do you mean when you say digital identity?Mark McArdle:
It's a great question. You know, it, can be many things, but, and ultimately digital identity is the information that identifies an entity trying to access a resource. And it can be a person or a thing that resource. Everyone's familiar with things like Netflix. You know, you've got a Netflix account and your user id, which is typically your email address and a password. Those together represent a digital identity that enables you to access Netflix and all the programming there.Tom Raftery:
Okay, cool. And I mean, you mentioned supply chain and how supply chain, is increasingly, vulnerable, I guess is probably the way to put it, because more and more these days supply chains are opening up. They're, you know, allowing suppliers in or allowing buyers in. So they're more interconnected, which of course increases the threat landscape. This is the digital supply chain podcast where we talk about things digital and supply chain, which, even more focuses or even more increases. The, the, as they're more digitized, the, the threat landscape grows even more, you have to think, And this is the first time we've had a podcast episode dedicated to supply chain security, which is entirely my fault. I should have had one long before now, and several long before now. But now that we're here, can you talk to why it is that supply chains are uniquely vulnerable to threats from cybersecurity,Mark McArdle:
Well, um, first I'm really flattered that I get to be the first person to talk about this on your podcast cuz it, it's such an important aspect of overall cyber security. And if we think about hackers and, and their behavior, they, they want to access things of value. Sometimes it's, cash, sometimes it's data, sometimes it's just access to systems and they're, they're efficient and lazy. You know, they, they try to not do more work than is necessary. And a lot of this, the victims unfortunately, are, are opportunistic. They're just the ones that are least defended or, or, or poorly defended. And they're the ones that require the, the smallest amount of effort. So if you think about, you know, a target, like say you wanted to attack a bank, cuz you know what the old bank and bank robbers used to, that's where the money is. If you, if you think about attacking a big bank, well they've got thousands of really smart people in their IT teams who are focused on cyber security. So it's a lot of work to try and find your way in and try to access the resources that you can turn into cash for yourself. But you know, these banks they deal with hundreds and probably thousands of third parties. Some of 'em are really big other banks, but a lot of 'em are gonna be really small organizations that are much less sophisticated, uh, when it comes to cyber security and, and until a few years ago, it was pretty common for big organizations to do business with smaller organizations, and there wasn't a lot of attention put into how secure they were and what protections were gonna be in place for both the access and the data that these small third parties were gonna have access to. And, you know, I think the, the Target hack, I think back in 2014 was probably one of the big headline grabbing ones were hundreds of millions of credit card, data was stolen by hackers and they didn't go in through the front door of Target and, and target's networks. They actually compromised Target through a third party, a little Pennsylvania HVAC vendor, little small business that was, you know, doing service for, for Target and a bunch of its stores to manage the heating and cooling systems. But because that small organization had poor cybersecurity practices, the hackers were able to use that connection into the Target network as the means to compromise the system. So there's been lots of, and lots of examples of this, both from a hacking perspective, um, people looking to make money out of this, but also nation state hacks. If we, uh, look back to 2010, you know, there's is an industry where it really, a groundbreaking, terrifying moment when something called Stuxnet was discovered, and it was the first real example of an engineered cyber weapon that was targeted at a nation state, it was, it was a collaboration that's believed between the us, the nsa, and the Israeli government to bring down the Israeli, uh, nuclear program to do it harm and, and set it backTom Raftery:
The IranianMark McArdle:
Yes, the Iranian, um, uh, plants. Yeah, this is, this is refining uranium for weapons in, in Iran. And, uh, this, this weapons by this cyber weapon was created to specifically attack a specific kind of Siemens programmable logic controller that, uh, controlled the centrifuges. In these labs. It didn't, uh, destroy really anything else. It was a very targeted weapon. It managed to cross the air gap, which is a practice used to keep that systems off of the internet, you know, with the thinking that if you can't connect to over the internet, it must be more secure. And, and there is certainly some truth to that, but this used a USB drive. You know, everyone's got USB drives saying around their desk, that was the, the vector for infection. And it had catastrophic, impact on the centrifuges. So, so the, the, the supply chain is often the, the most effective way to compromise that. Any target and the, the financial markets, you know, the regulated markets, but regularly by the S E C in the US they were required to start taking responsibility for third parties. It's called vendor risk management. And that really drove a change in behavior where, The due diligence, uh, performed on these smaller or larger partners that are gonna be inter doing business with you, takes into account the, the, the kind of things that are expected to protect the data and the access, uh, from, from evil actors.Tom Raftery:
Okay, so if I am a supply chain manager concerned about, you know, who I'm doing business with and how secure their systems are, if they're connecting to mine, Should I only deal with larger organizations who are likely to have better security?Mark McArdle:
Well, it's not, it's not necessarily a question of size. I think it's a question of sophistication and, and the due diligence questionnaire that you typically would, would use, and many organizations are, are pretty familiar with these. If you're dealing with any regulated partners, you're going to be receiving these fairly thick, uh, cyber security, due diligence questionnaires as well as if you're trying to get cyber security, insurance, you know, insurance against, you know, the, the, the downsides, the, the costs of, of being breached. The insurance companies also have very detailed prescriptive requirements that you have to meet. So, so there's a combination of things there. I think the, the culture is starting to become more broadly understanding that there was a responsibility to raise your game in terms of what you're doing to protect the assets and to protect your customer's data. And, and I think that's becoming more common cuz we're seeing CISOs chief Internet security officers in places that, uh, we haven't seen them before.Tom Raftery:
Okay. And how does something like a digital identity help in this scenario?Mark McArdle:
thing that's probably foundational here is there's a term in the industry called Zero Trust, which is, is an approach to protecting your, uh, your infrastructure and your assets from, uh, from attack. And digital identity is foundational to that because if you think about doing a transaction, the first thing that you need to know is who is the identity of the other party that you're, you're connecting with. You wanna have high assurance that, you know. Either it's the customer you think it is, or it's the partner that you think it is. So the digital identity there becomes a really important foundational element. And then once you, you have that high assurance of who you're dealing with, you can now build on that. Now what system are they connecting to me from? Is it a trusted enterprise device that's managed by our IT teams, or is it, uh, hotel lobby shared system with, you know, who knows what kind of malware roaming all over it? So you build trust up by assessing who you're dealing with. Where they're accessing from, What's the condition of the system they're on, and then what resources are they trying to access? Is it super sensitive material? Like if it's patient health information, for instance, you would never want that on a non-trusted system. So a lot of the, uh, the approaches to protecting data requires foundational digital identity.Tom Raftery:
Okay. And I assume organizations are going to need to, if they don't already come up with kind of a digital identity strategy. What does that entail for companies?Mark McArdle:
Well, it's, it's a great question because this is an emerging, um, in, in many industries. This is an emerging process, The steps we took at Imprivata to help our customers understand this was the creation of what we call the Digital Identity Framework. And it was built on some great thinking by organizations like nist, analysts like Gartner, where we looked at the broad capabilities of digital identity, the things that we consider helping enable the use of digital entities, so helping users do what they need to do and get access to the things they need to access to do their jobs. Controlling digital identity, which is making sure that those users have all of the entitlements and accesses that they need and nothing more. Because in cyber security, there's a concept called least privilege, where we want to minimize the damage that could be done by any individual account being compromised or a user going rogue by only allowing them access to the things that they specifically need to do the job and not letting them have access to everything, all the keys in the kingdom. And then the third component in the way we view digital identity is monitoring. You know, there's a lot of sensitive data that users are, are given access to and there's a lot of trust being put in their hands, they're gonna do the right thing. And from a compliance perspective, certainly in, in many industries, this has become a requirement. You have to be able to demonstrate that that data has been used, responsibly and properly all the time. This is really big in healthcare cuz obviously patient, information is extremely sensitive information. And unfortunately, you know, there's humans are humans and sometimes they get, uh, moments of weakness. You know, if Tom Cruise comes into the hospital and you know, people, some, their doctor or nurse goes, Well, what's Tom in for? That's not appropriate. They're not part of the patient care team. So that's a patient privacy issue and being able to monitor that. The, uh, accesses are being used appropriately, really lives up to the promise that, that healthcare, providers make to, uh, to the patients that no harm will come to you or your data while you're under our care.Tom Raftery:
Okay. And in terms of supply chains, is there any particular industry that you work with more than another? Because supply chains go across all industries obviously. Or is there any particular industry which is more vulnerable you feel than any other?Mark McArdle:
Well, we, we've worked a lot with healthcare in the last 20 years. That's, that's the industry we've, we've had the greatest, uh, success in, in helping absorb the complexity and, and enabling digital identity. But we also have a lot of customers in manufacturing, in finance, retail, aviation. So a lot of the challenges are, are broadly, Similar, but there are specific market, uh, challenges and I think healthcare has probably got the greatest complexity and challenge because they have hundreds of clinical applications that all require a digital identity for, for clinicians, doctors and nurses to access them. There's shared devices where in most enterprises, you're given a laptop by your, uh, your employer. Maybe you're even given a phone and that's your device. But in healthcare, there's a lot of shared devices, both mobile devices and shared workstations that multiple nurses or doctors are interacting with all day, every day. So that, that changes the dynamic in how the systems have to work. And in healthcare, again, unlike a lot of enterprises, you can't dictate, uh, and change workflows that are going to get in the way of delivering patient care. You have to make sure that when you are making them more secure, you have to drive efficiencies. You have to make the workflows that they're doing a lot more efficient. So instead of forcing them to type 15 character complex passwords, every time they want to modify or enter patient data, provide a mechanism that allows strong authentication, up front, multifactor authentication, and then have badge tap. You know, these badges that are available now, secure badges like. Like Fido badges, these are cryptographically secure badges that can substitute for complex passwords. So you get away from the passwords cuz they're the scourge of humans, right? We are not good at remembering these long, complicated things, and there needs to be a better way. So that's really what we focus on, and that model applies to all industries because humans, at the end of the day, Most, you know, 99.999% wanna do the right thing all day, every day. And we wanna enable them to do that in a secure way. We also have to monitor for that tiny, tiny fraction who are gonna misuse those accesses to do things that could be potentially harmful.Tom Raftery:
Right. And I, I assume things like using a Fido enabled card means it's more efficient for people entering data because they don't have to be entering in their username. They don't have to be a, you know, stamping something with a, a times stamp or something. It's all automatically put in for them.Mark McArdle:
That's exactly right. And, and that's why we've invested in, in capabilities like facial biometrics, you know, and other biometrics that allow a more frictionless interaction for the user to be able to get to what they needed to do without fumbling and having, unnecessary complexity thrust in front of them. So, you know, we wanna always have a strong efficiency and cyber security, capability matched together. Because if, certainly in in healthcare, if you break the usability, clinicians are brilliant. They just like that Jurassic Park quote and nature finds a way. Clinicians always find a way around slow and bad IT practices. So, so that makes the organization less secure. But, uh, ultimately the mission for them is patient care. Spend time with patients not fumbling around with technology and, and the supply chain is, is exactly the same way.Tom Raftery:
Nice. Yep. Yep. On most episodes, I ask people if they have, particular customer wins that they can speak to. Now I realize that in the security industry, speaking of a customer win is a customer who hasn't had a break, and I'm guessing, so I assume that's a difficult question to answer, but I'll ask it anyway. Have you had any particular, customer wins you can speak to?Mark McArdle:
Well, yeah, I'll, I'll speak to a, a theme of, of wins and something that's really been a, a driving force in, in our success, and that's been that we, we drive real return on investment. We drive real value and, and cyber security generally is, is really about risk management. You, it's like insurance in some aspects, right? You are doing these things not because they're going to improve the top line or the bottom line. You are doing them to prevent something bad from happening. And from Imprivata's perspective, you know, we, we want to match the cybersecurity piece, which is really important with efficiency that drives roi. And I've had many chief uh information officers say to me at conferences, you know, the rolling out imprivata's single sign on Tap And Go was the greatest thing I've ever done for clinicians, they think I'm a hero for this because I've eliminated them typing those passwords that keep getting longer, more complex, you know, they're saving on average 45 minutes a shift, just fumbling around with typing a username and password. Our ability to drive, Tap, and Go and eliminate and, and streamline those workflows buys that clinician, that end user more time. And this, this applies everywhere we go. We've had manufacturing, we've got customers that instead of having people in a warehouse, you know, typing long password, Maybe even wearing, you know, gloves and protective equipment. Instead, we've got a secure badge tap on capability. We've got facial biometrics. So we're, we're always looking at ways to get people to where they need to be to do their job, but do it securely and do it efficiently. And as we get into, you know, inflation's high and, you know, lots of organizations in the economy there's sort of headwinds potentially coming to the next year. It's more and more important that things that drive improved efficiencies are the things that always make it across the, the CFO's desk, you know, the things that get approval are things that buy capability back, and it's a double win if you're getting more efficient while reducing risk to bad actors, you know, stealing your data, compromising your systems. No one wants that to happen. So we try to unite those two things every time we're engaging with the customer.Tom Raftery:
Okay, and What kind of trends are you seeing in the industry? Where do you think things are going?Mark McArdle:
Well, one of the things that we are really excited about is, uh, there's a, there's a concept in cyber security called privileged access management. Which, if you think about the most important assets inside a, a company's or network, the firewalls, the domain controllers, all the really expensive gear that only, you know, really high trained, high trusted individuals get to access to. That's become more and more important. It's, again, it's a core foundational element and you probably can't qualify for, uh, cyber insurance if you don't have that in place. But what we recognized was there's a third party problem here, and this directly speaks to supply chain where you have, and, and it's common in many industries, certainly in healthcare's, got lots of examples where an MRI machine is not something that a hospital's IT team does maintenance and, and updates on that's contracted out to Phillips or GE or one of those big companies. But you, you've gotta provide them remote access into those systems into your network and there's been a real messy, you know, not easy. It's, it's ad hoc, there's no visibility, it's not compliance minded. and we've introduced Secure Links vendor privileged access management to, to manage that problem in a really simple, elegant, and secure way. So you get visibility into what those third parties are doing. You control when the access is allowed so you can make sure that your maintenance windows and systems are always available when they need to be. And, uh, and you have the ability to look and see exactly what they did inside those sessions. It's sort of like a video recording of all of the, the vendor access, actions activity. So, so that's been a big part of driving the ecosystem, improvements and secure link allows both, a hospital or a manufacturer or a bank to say, If you want at remote access to manage the systems inside my network, this is what you will use. But it also enables companies that have thousands of customers to use this, uh, secure link vendor privileged access access management to remotely and securely manage all of the deployed technologies they have across their customer base. So that's a really exciting, uh, capability. Reduces the attack surface, drives a lot more efficiency, and ultimately raises the cybersecurity, hygiene for, for all of the customers using that.Tom Raftery:
Nice. Nice, nice. Very nice. We're coming towards the end of the podcast now Mark, is there any question that I haven't asked that you wish I had or any aspect of this we haven't touched on that you think it's important for people to be aware of?Mark McArdle:
Well, I, I could go on for hours talking about this. There's, there's so many examples of a cautionary tale type examples of don't do this. But I think, uh, I'm excited that, that you were giving this, uh, you're giving this attention and, uh, and maybe one day we can follow up and see, uh, what you're seeing from other guests. You have, um, talking about how cybersecurity and the supply chain are, are so deeply, uh, intermingled and we can't have secure infrastructure if we're not managing the supply chain and holding it to the same levels that we hold our own systems to.Tom Raftery:
Sure, sure. Absolutely. Great. Mark, that's been really interesting. If people want to know more about yourself, Mark McArdle, or about any of the things we talked about in the podcast today, where would you have me direct them?Mark McArdle:
Well, I think the best places are imprivata.com website and there'll be a link to that I think in the, in the notes for the podcast. That's where you can find out all the amazing things that we're doing in digital identity for our customers.Tom Raftery:
Fantastic. Great, Mark, that's been really interesting. Thanks a million for coming on the podcast today.Mark McArdle:
It's been a pleasure. Thanks so much, Tom. Okay, we've come to the end of the show. Thanks everyone for listening. If you'd like to know more about digital supply chains, simply drop me an email to TomRaftery@outlook.com If you like the show, please don't forget to click Follow on it in your podcast application of choice to be sure to get new episodes as soon as they're published Also, please don't forget to rate and review the podcast. It really does help new people to find a show. Thanks, catch you all next time.