Tim Danks, Huawei VP of Risk Management, discusses his thoughts on cybersecurity and the great need for global collaboration to build cyber risk management standards across the world.
Security: What is your background? And current responsibilities?
Danks: As a VP of risk management and partner relations for a global information and communications technology (ICT) company, I’m responsible for understanding and managing business risks in the context of cybersecurity and privacy. I have more than 30 years of industry experience with services operations, risk mitigation and management, and supply chain delivery. I also focus on third-party relationships working with partners to understand what is coming next and help information flow. My expertise is cybersecurity, focused on operational risk mitigation against an evolving threat landscape with strategy development, implementation, and execution of programs, tools, and risk management teams. Prior to joining Huawei, I spent many years with Ericsson preceded by several years with Rogers Communications.
Security: Could you discuss the importance and need for global collaboration in cyber risk management?
Danks: U.S. national security will require global collaboration for supply chains to be protected. We must assume all networks are or will be compromised, and act accordingly to ensure all parties throughout the supply chain are abide by standards and are held accountable. We also need to assess risk from all suppliers, build consensus on security standards for critical technologies, and apply these standards in a consistent way. Every vendor should be willing to have its network technology gear tested, source code inspected, and verified as secure and resilient. Furthermore, global collaboration is critical to not only address the need for companies to take a shared responsibility of risk, but also bring the full benefits of technology to the world and help close the digital divide.
Security: How can a Zero Trust global policy help properly manage supply chain risk?
Danks: Companies should start by looking internally as well as externally to understand their risk profile to start working towards a Zero Trust global policy for managing supply chain risk at scale. Organization governance around the Zero Trust approach is critical to ensure everyone in the organization understands the concept and their role in creating a Zero Trust environment. Organizational maturity will require advancing from current defense security postures and measured risk profiles to more aggressive positioning and stress testing on a continual basis utilizing advanced tools such as AI.
Blue Team-Red Team exercises are a great way to challenge defensive strategies, apply zero trust principles and assess organizational maturity. Many organizations already have Blue Teams to implement and support defensive strategies but more need to employ Red Team approaches to stress test defenses and identify potential gaps from an attacker’s perspective. To take it a step further, organizations should be employing 3rd parties in Blue-Red Team exercises with the mindset to challenge the internal team’s traditions, conventions and biases. These roles are necessary to deploy national-security-level defenses and risk-management protocols for critical technologies and apply an ABC principle for cybersecurity: Assume nothing; Believe no one; Check everything.
We must move organizations forward at a faster pace to stay ahead of the malicious actors out there who are utilizing all possible tactics to achieve their goals.
Security: Why is global collaboration critical to promoting transparency, accountability and resilience in cybersecurity?
Danks: Global collaboration with unified cybersecurity standards and certification mechanisms is necessary to promote visibility and awareness across industry. Establishing these baselines and initiatives such as Software Bill of Materials (SBOM) increases transparency. We must adopt trust through verification and continuously assess our supply chain, because networking today is realized in a multi-vendor world of 5G, IoT, cloud, software-defined networking (SDN) and network function virtualization (NFV) where the entire supply chain may not always have the same level of resilience. There’s a need for objective and transparent testing to know which products and services are worthy of trust. Even then, Zero Trust must be the mindset of the organization. The old ways of knowing (or assuming) who and what to trust does not work with today’s multifaceted and constantly evolving global supply chains.
Security: Should a multilateral framework that ensures the most rigorous standards and testing exist, in order to improve and promote cyber risk management?
Danks: Absolutely. What we need is a policy that advances American interests and values through multilateral frameworks that recognizes the extent to which these interests are broadly shared. To achieve that, we need to develop a data protection framework that raises standards across the board for all entities. Governments must come together with the tech and telecom sectors around cybersecurity related to the operations of the networks and their supply chain. Having a comprehensive framework is critical to assure end users that each element of the network has been examined for its ability to support their safe and secure access. This is a complicated issue because, unfortunately, it is currently being boiled down to an analysis of borders, not the actual technology. To build a system that everyone can trust, there is a need for aligned responsibilities, unified standards and conformance programs aligned with clear regulation.