The news about the compromise of SolarWinds has started to recede but it will remain a watershed event in the history of information security. If you haven’t heard this podcast discussing the compromise and its consequences by the Andreessen Horowitz team at a16z, it is worth a listen.
a16z’s resident CSO, Joel de la Garza, nails the key strategic question regarding information security in organizations when he says, “Where does Security sit? What is the right amount to spend on it? How do you effectively empower it and how do you partner and build security into your business so that it is something that helps enable it versus something that holds it back.” Companies that thrive after this watershed event will grapple with these questions and find a symbiotic balance where security protects the company while enabling agility producing a real competitive advantage.
On a more tactical level, what can you do to protect yourself against attacks like this? While there is no silver bullet, in this case, there is plenty that companies can do to lower their risk profile. Much of the advice they are offering will sound familiar to those who have experience.
See a more comprehensive list from a16z here.
The initial compromise of the SolarWinds build process itself probably was preventable with the good security hygiene described above but it isn’t easy to check all these boxes with a limited budget and organizational influence.
This incident has shed new light on the management of third-party risk. Joel de la Garza highlights this challenge in the podcast, saying, “The hardest (security) problem to solve is third party risk.”
Vigilance here used to be optional. In the post SolarWinds hack era, it no longer is.
We automate the complex task of assessing the security posture of all your cloud services and help you drive least-privilege via automated access reviews.