Over the past two years, the security industry has become painfully aware of the security risks to the software supply chain. In 2021 alone, several thousand organizations and agencies received compromised SolarWinds updates that put their data at risk.
In addition, countless more organizations remain exposed to software supply chain security risk via the Log4J vulnerability, thanks to a widely adopted open-source logging library.
However, chief information security officers (CISOs) are recognizing that their software supply chain is ripe for exploitation, creating a surge in demand for talent for this kind of supply chain security.
Jasmine Henry, field security director at JupiterOne, a provider of cyber asset management and governance solutions, breaks down the various roles in software supply chain security, ranging from governance risk and compliance (GRC) specialists to engineers and architects. “Hiring is happening at all levels, especially mid- and senior-level supply chain security specialists,” she said. “We’re seeing supply chain security leadership roles for individuals with strong backgrounds in securing the supply chain for the first time.”
Tim Wade, technical director of the CTO Team at Vectra, an A.I. cybersecurity company, agreed there’s certainly “a great deal of buzz” around supply chain security weaknesses, especially given the recurring pain felt over the last year. “However, it’s less about a demand for supply chain security specialization in a general sense, and more about skills on either side of the supply chain,” he said. “Suppliers need to ensure their products and services meet security objectives, and consumers need to build resilience against the possibility that an upstream supplier has been compromised.”
Suppliers will be looking for roles that align with product and application security skillsets. “Both suppliers and their customers will do well to invest in the skills necessary to mature detection, response, and recovery operations,” Wade added.
The Right Backgrounds
Organizations have an immediate need for individuals with strong backgrounds in risk management, vendor security assessments, and process optimization. “There’s also a huge demand for supply chain security architects who can assess security risk within existing systems created by vendors and open-source products and use these findings to spark engineering change,” Henry pointed out.
From Henry’s perspective, there’s room in software supply chain security for individuals from all backgrounds, including engineering and liberal arts educational pathways.
That’s especially true for individuals with architecture and engineering expertise, as well as those who can streamline the heavy lifting associated with vendor consolidation (and the retirement of legacy systems particularly vulnerable to software supply chain security risk).
Henry added that individuals with strong relationship management and communication skills can manage software supply chain assessments, risk reporting, and related documentation: “In addition, individuals from engineering backgrounds are needed to create technical requirements for supply chain security and coordinate with both product and leadership teams.”
Any individual whose background has involved some element of vendor management, open-source security, or compliance is well-positioned to pivot into a role that’s exclusively focused on software supply chain security.
Jake Williams, co-founder and CTO at BreachQuest, an incident response specialist, said any moderately sized organization should have someone named who is ultimately responsible for supply chain cybersecurity, even if that’s a part-time role for the organization. Auditing and vulnerability management experience are probably the most important.
“Most supply chain cybersecurity concerns are not as sexy as SolarWinds, and instead are things like auditing attestations made by other organizations with whom you are doing business,” Williams said. “B2B compromises, which are still part of the supply chain, are far more common than backdoored software.”
While some very large organizations will likely have a need for dedicated vulnerability research personnel to identify potential backdoors in software, the vast majority of the work will be fairly pedestrian risk audits. Those with experience in auditing external organizations will have great potential to thrive.
Williams recommended that people interested in software supply chain security would be best served by entering into technical auditing roles, as well as gaining experience with a Risk Management Framework (RMF). “This isn’t an entry level role, and it never will be,” he said.
But not everyone sees the need for a so-called “software supply chain security expert”—among them John Bambenek, principal threat hunter at Netenrich, a digital IT and security operations company. “Every time there is a new problem, industry responds by assuming a new specialty needs to be created,” he said.
From Bambenek’s standpoint, software supply chain security is no different than other forms of information security—it’s simply a new manifestation of the same problem. “But I am sure companies are going to want to hire ‘entry level’ supply chain security professionals with 10 years of experience, despite our awareness of the problem being only a couple years, and then be shocked they can’t find anyway,” he added.