Unlock the secrets to safeguarding your business in today's volatile supply chain landscape. On this episode of the Reduce Cyber Risk Podcast, hosted by Shon Gerber, we take you on a journey through the intricacies of cybersecurity in supply chains. With rapid technological advancements and the rise of AI models like DeepSeek, businesses must navigate data security challenges like never before. You'll discover why countries such as Italy are limiting these AI tools and learn how to balance innovation with caution to protect sensitive data from potential threats.

Embark on a comprehensive guide to establishing a robust Cyber Supply Chain Risk Management (CSERM) program. Together, we'll explore strategies to secure stakeholder buy-in and cultivate organizational awareness through tailored training initiatives. By aligning your CSERM goals with your mission and compliance requirements, especially if you’re handling government contracts or operating within the financial sector, you can proactively guard against cyber threats. Prioritize critical assets and integrate CSERM into vendor selection to mitigate vulnerabilities across third-party relationships.

For businesses lacking internal cybersecurity resources, resourceful strategies are at your fingertips. From harnessing the power of online tools like Google and ChatGPT to leveraging expert consulting services, we offer insights into fortifying your defenses. Dive into the wealth of resources available at ReduceCyberRisk.com, including free materials and training opportunities for IT teams. Whether you're taking your first steps or refining your existing measures, this episode equips you with the knowledge to strengthen your cybersecurity posture and safeguard your organization against evolving threats.

TRANSCRIPT

Welcome to the Reduce Cyber Risk Podcast, where we provide you the cybersecurity training, tools and expertise you need to protect your company from the evil hacker horde. Hi, my name is Sean Gerber and I'm your host for this action-packed and informative podcast. Join me each week as I provide the information you need to secure and protect your organization and reduce your cybersecurity risk. All right, let's get started. Give it up, hey y'all, it's Sean Gerber with Reduce Cyber Risk Podcast, and today we are going to be chatting about some different aspects related to the supply chain. Now, if you haven't been connected with what the supply chain risk aspects are, it's something you really need to be considering if you own a business, especially if your business is highly dependent upon the overall supply chain. So we're going to get into some of that today at the Reduce Cyber Risk podcast, but before we do, there is an article I kind of wanted to bring up to you all about DeepSeek. Now I'm in Buffalo, new York, today, so I'm having a good time and enjoying the snow. So it's just amazing. Actually, I don't like snow. Snow's way too cold. But I saw some interesting information around DeepSeek and kind of wanted to bring this up to you and let you know a little bit about it. So if you're not really connected with DeepSeek and just kind of understand a little bit, that hit the news.

Speaker 1: 1:20 

Deepseek is a chat bot slash, not chat bot, it's like chat GPT, it's an LLM, it's a language learning model that was recently released as of just a few days ago and when this was recorded and it's a Chinese variant and it's based on open source capabilities and you can actually look at the software behind it. But one of the big concerns that they have is one it's Chinese based and, two, the fact that where is the data going. Many people don't quite totally understand what is the data being harvested for DeepSea? So its design is very specifically, very similar to the overall chat GPT model. So if you're connected with that, it's something. You can go online, you can put in all kinds of great information and get great information back. So I would say, if you own a business, it's something you should consider utilizing is these various language learning models or, in some cases, ai. But what's happened is, now that DeepSeek has come out, it's been able to surpass ChatGPT in its capability with a lot less of the computing power that has been brought on to create the overall AI models that are out there. And one of the things if you have NVIDIA stock, you've probably realized that your stock is worth a lot less, because DeepSeek hit the market and can do very similar functionality as ChatGPT, but in much fraction of the cost. So it's causing a lot of waves. But because it is a Chinese-based system, there is a lot of concern around what are they doing with the data and how is this data being regulated? Well, it's not being regulated. So that's one thing.

Speaker 1: 2:49 

Second thing, though, is that this article I have in the Guardian talks about DeepSeek being blocked from the app stores in Italy amid its concern around data use. That has always been a concern related to cybersecurity is the fact that if you are utilizing these LLMs or these AI models, what is going to happen with the data that's being added to it and what? A lot of enterprises will not allow these large language models to be used within the organization because of the fact that they don't know where the data is going and what is being. Because of these models, they learn off of data being put in. Well, if you start putting in data that's potentially sensitive to your organization, that can cause even more issues. So this article kind of talks about how the fact is that the UK government on Tuesday that it's telling its citizens that it's not sure if they want to use the app. They're monitoring any national security threat that could be coming from this app. But the Italian regulators basically said you know what, because of this situation, we are going to limit its use within the country. So just considering the fact is that the deep seek model is going to be, in today's world, much greater than it ever has been, and because of these AI models and these LLMs are growing at a very fast rate, you can expect that there's going to be a lot of change in the near future.

Speaker 1: 4:07 

So all I wanted to tell you with this is just keep in mind, if you are putting any of your data into these models, you may want to be considering is that a good thing to do? If you have employees, you may want to question and maybe even put out a policy if you're going to allow or not allow the use of chat, gpt or even deep seek for your business. So again, I would go out and check it out, get a reading on it. Bottom line is there's gonna be a lot of confusion about this and a lot of questions related to the use of these models, and I would say, from a security perspective, I would be very hesitant on adding anything as far as confidential data into these models. I would avoid it at all costs until you can figure out what is something that's best for you and your organization. Obviously, normal searching is one thing, but the moment that you start allowing it within your organization, you can expect that your employees will start using it, they'll see the value out of it and then they will start putting more sensitive data into these systems and you won't be able to control it. So something to think about as you are moving your business forward.

Speaker 1: 5:08 

Well, so today we are going to be talking about some different aspects related to supply chain. So if you've been connecting with my other podcast on CISSP training, this was very similar. We talk about supply chain a lot in there as well, and one of the things this is kind of a quick start guide on supply chain risk management and what you should be concerned about. So what is supply chain risk management? So when you're dealing with supply chains, right, say, you own a business that is in the plumbing business. So I'm saying that because I have a small little tiny Verbo that my wife and I have that we rent out and because of that I have some plumbing challenges recently because it's like a hundred years old. So let's just say, hypothetically, you have a plumbing business and you need certain types of parts to make your business work, and they might be certain connectors, they might be something that's very proprietary, but at the end of the day, you don't have all of this within your organization, within your company. So you will sometimes buy this data or not data, these tools or pieces of equipment and have them brought directly into your company. You purchase them and instead of going to Lowe's, you may buy them from a different type of reseller. Well, that's your supply chain, right? So your supply chain is.

Speaker 1: 6:21 

You are dependent in many cases on the supply chain within your company. So what is one thing that attackers will do? Well, they will go after the supply chains. Because if they go after the supply chains, what can happen? It can potentially limit your business capabilities, and if they can affect the overall supply chain within your company, now they can affect your bottom line. They can potentially take you out of the market.

Speaker 1: 6:43 

There's a lot of things that can happen when these types of attacks. The other thing around supply chains is is, in many cases you may have a really strong cybersecurity posture, but the folks that are providing the supplies to you may not be quite so in depth, and so therefore, they run the risk of, one, disrupting your overall product flow. But two, if you have connections into these networks say, for instance, you have a third party that manages your network, say they they're an it vendor and they connect into your company, they can control it remotely, and what ends up happening is as well you know what they you can't connect to this computer because, or they can't connect to you because they were attacked and that's a supply chain risk, but that they could, someone could attack this third party and then burrow their way into your organization. So all of these factors can affect you and your company. So it's imperative that you have a good understanding of what is the risk to your company and how to you mitigate it. So the purpose of this is, again, this checklist is to provide organizations with a streamlined approach to initiating supply chain risk management, and you'll see the acronym CSCRM and you may see that floating out there. Now, if you're a business owner and you're not the cyber guy. You're probably going yeah, I'll never see that, and that may be the case, but your IT people may and they may bring this to you.

Speaker 1: 8:04 

It really emphasizes the importance of securing the overall supply chain and the processes to reduce the vulnerabilities that could potentially occur due to adversaries. What could they exploit? It will cover the foundational principles and the practical steps for implementing this within your organization, based on the National Institute of Standards and Technologies guidelines, and it's intended for organizations of all sizes, across all sectors and, again, it gives them a very scalable type solution. So what does this mean? Well, it identifies and assesses and mitigates the risk of your overall supply chain that could affect your company from a cybersecurity or operational resilience standpoint. Now we talk about operational resilience. What is that? It basically means is that if you produce widgets, you have the ability to be resilient to a cybersecurity attack utilizing so that you can produce more widgets. That is operational resilience Operationally running operations and it's resilient, meaning it can take a beating and keeps on ticking. That's the resilience piece of this.

Speaker 1: 9:10 

So the key risks that would include data breaches, counterfeit components, malicious software, insider threats and third-party vulnerabilities. All of that can fall within your supply chain. Now counterfeit components. One example of this that we've seen in the past is that there are numerous Cisco. We use Cisco as a networking capability and they have all kinds of switches, they have routers, they have all kinds of great stuff for your networking of your IT infrastructure. But I had a situation when I was working with a company that they had a router or a switch that came in and come to find out it was actually labeled as a Cisco switch but it was counterfeit, which means it did not have the overall internal organism or internal pieces that made it a Cisco switch. So you'll have counterfeit components. All of these things can happen if you don't have good control of your cybersecurity or of your overall supply chain, if you don't have good control of your cybersecurity or of your overall supply chain. So now some key objectives of the CSCRM is again ensuring confidentiality, integrity and availability of your overall supply chain, and we talk about this in the security space. Is CIA or the CIA triad, is ensuring that your supply chain is good to go. It maintains that we also want to.

Speaker 1: 10:25 

The purpose of the SCCRM is the fact that you have resilience throughout this, so it'll help avoid disruptions due to a cyber attack that could happen within your company. Now it could be where the cyber attack is actually trying to steal data or it is trying to nuke the overall environment and just basically cause chaos and pandemonium. It's also to build trust with customers and partners, showing that you have a plan in place and you have security practices in place. I have been in many different calls with third parties and asking them these very direct questions of going, do you have a plan? And then you hit the quiet silence on the phone and it's deadly quiet and you're like, uh, yeah, so when they don't respond right away with, oh yes, we have a plan and here it is, then I start to wonder going, yeah, they don't have a plan. And if they don't have a plan, then how does that affect me? And then you have to ask yourself do you want to use them as a critical supplier? Now the question that may also come into play is you may not have a choice, so you go, I got nothing better to do. So then you work with these partners to help them solidify or strengthen their cybersecurity practices, and it's a mutual benefit between organizations if you can do that, but it does take resources to make that happen.

Speaker 1: 11:34 

So when you're establishing a CSERM program, there's some key steps to consider. One is you build organizational awareness and support. Now this is where you have to meet with the stakeholders, the business owners, and this includes all types of leadership, procurement, IT, risk management, teams, you name it. Now, if you're a small business, you're going yeah, yeah, you're laughing, going, I got any of that, that's okay. The main point is that you have key people in places that you need to have a communication with and ask them. It could be on the machine floor, where you have parts that are coming in from a supplier and you talk to this person and you say, hey, who is our supplier? Well, our supplier is X, okay. Have we ever had any issues? Well, yeah, they got hacked about two weeks ago, okay. So then you hear questions and you have to start asking deeper questions and try to get answers. The other thing around it helps foster awareness through training and workshops and it basically helps the demonstrate the importance of supply chain security.

Speaker 1: 12:28 

And again, you might be all saying this is just one more thing that I have to do and guess what you are right now. There might not be regulations specifically for your business around this. But it's just good business sense. If you've worked very hard to create a company and you're making good money and you've created that for you and your family, and now a cyber attack occurs and takes it out and you basically, potentially, can lose your company and yes, that has happened and it will happen in the future Then it's something you may want to consider and take seriously, now that you define your goals and objectives. Actually, I should go back one more point. You also develop a business case to help the executives understand the buy-in and outline the potential risks and their impacts. It's an important factor in doing this, putting this in place and it's easy to do.

Speaker 1: 13:24 

Right, you can Google all the different issues that have occurred within companies related to cybersecurity attacks and people may say, oh yeah, that happens to others, but it won't happen to me. That is a terrible way to run a business. If you got to a business that has been successful and you're going yeah, I can make this widget, but my competitors might get to it before me, so I'm just not going to do it and that's not how you run a business. It's the same thing, right? You have to be able to understand the risk. Now you may, in your company, go you know what. I'm truly not worried about this risk and there might be a reason why you're not worried about it, and that's fine, no big deal. But the ultimate point is that you understand what you're actually signing off on and if you agree to it. Now, this is making educated decisions versus just going, yeah, it won't happen to me because I'm too small, that doesn't matter, it will happen to you, most likely. Just again, statistics are there, it will. If it doesn't get you now and it doesn't get you next year, it will get you at some point Again.

Speaker 1: 14:16 

Step two is defining the goals and objectives. Now this is to align the program objectives with the mission, the compliance requirements and business continuity goals for your organization. Now, you may not have compliance requirements, but in the United States, if you're working with the government, depending upon the capability, you may have what they call CMMC requirements, and there are compliance requirements based around understanding your supply chain. If you're dealing in the financial industry, you've got to understand your supply chain. All of these are key factors in overall running a business. It also will help you prioritize the protections of your critical asset systems and suppliers.

Speaker 1: 14:50 

I come back to is even you can try to protect everything within your organization and you will spend gobs of money doing it and you may actually be able to do it, but in most cases, people do not have the ability to protect everything within their organization. So that is where you come down to understanding your critical assets, your critical systems and your critical suppliers within your company. And by understanding all of these key aspects, you can then focus on protecting the things that are most critical to your organization and not just basically throwing money after everything, because, as we all know, it's hard enough to make a profit and your margins aren't huge. So what do you have to do? You have to be very judicious with your resources, and one of those is focusing on just the critical asset, systems and suppliers. That doesn't mean you can't expand that in the future, but short term, that's what I would do.

Speaker 1: 15:37 

Step three is you integrate with the CRSM into existing processes. So if you have procurement processes, how do you do vendor selections? Do you have a security assessment questionnaire that you provide them? Do you go out and meet these different companies just to actually do like a mini audit of them? All of these things I have done on supply, on third-party vendors, and guess what? Every time I do it, I find something new. So I would highly recommend that if you have a critical business, if you are tied to a critical supplier for your business, and if you haven't gone through this, you are really setting yourself up for some potential heartburn in the future. So again, word of warning, this is expensive advice I'm giving you. You can pay a lot of money to get this advice from some other guy or gal, but really, what it comes right down to, if you are reliant on a third party to be your supplier and it has critical applications within your company that are required by this supplier, or you have critical applications that you're really worried about, you need to really understand this overall process. Again, take it for what it's worth, but I'll tell you right now that that's some expensive advice that you just got on this podcast.

Speaker 1: 16:46 

Develop a cross-functional workflow. Ensure that you have consistent applications that are based around the SCRM principles and again, it's all understanding what's within your organization. If you don't know what's within your organization, it's really hard to protect it. Now some key practices for an effective implementation. One is identifying your risk.

Speaker 1: 17:05 

Develop an inventory of critical suppliers, subcontractors and products, like I mentioned just a minute ago. Understand who those folks are. You may not know that right, you may go. All of my suppliers are critical. That would not be correct. Not everybody within your company is a critical supplier. Can you live without the toilet paper supplier? Most likely, unless you are a toilet paper manufacturing company, I guess, but realistically you could do that. So not everybody is a critical supplier to your company. Not all of your subcontractors, individuals, are critical to your organization, unless you hire them for reduced cyber risk, and of course then they will be critical to your organization. No, just kidding, but again, products as well, all of those things you got to deem whether they're critical or not.

Speaker 1: 17:47 

You need to identify dependencies and single points of failure within the supply chain. Okay, I've seen this too many times. You have this plan and guess what? Oh, because this one server sitting in this warehouse, in one location that no one even knew existed is the key to your overall supply chain, goes down. And then everybody's like, oh, now what do we do? First they've got to find it, and then they got to figure out. Oh wait, it's a 1995 system, it's Windows 95. Oh, what are we going to do. I don't know. So again, that has happened and I say that out of experience.

Speaker 1: 18:18 

You need to evaluate the geopolitical, operational and technical risks that may affect the supply chain security. If you're getting stuff from China, what happens if we get in a shooting war with China? What happens if you're getting your stuff from Russia and we are in a shooting war potentially with them in the future? How does that affect everything? Oh yeah, it can get very complicated very quickly.

Speaker 1: 18:36 

You need to do a risk assessment and analysis, again using tools like a risk heat map or assessment frameworks to help you evaluate supplier. Risk is an important factor. Now here's one thing I will say with this risk is an important factor. Now here's one thing I will say with this Keep it simple, silly, or you don't have to, but I just keep it simple, I just really do Now. You may want to start off on a simple kind of assessment and then you'll grow it and build it over time. But just getting started, just having a very basic assessment obviously more than three questions, but having an assessment that is more or less a foundational piece is an important factor and you want to build that out. You can always add to it at a later time.

Speaker 1: 19:15 

You also then need to quantify the impact and the potential likelihood of the risks and prioritize how you're going to mitigate this. Which ones are we going to go after first, second and third? Again, focus on no more than three activities. I would highly recommend keep your assessment frameworks and your assessment questionnaires at a smaller amount and then leverage threat intelligence to stay informed about any potential emerging supply chain threats. And really what that means is that if you are in the manufacturing space and let's say you're in the manufacturing space for I don't know, weapons that are going to Ukraine, well, okay, obviously that would be something that would be a supply chain that the Russians would like to disrupt. So if that's the case, then you would want to make sure that you are connected, that the Russians are trying to impact the supply chain for missile systems going into the Ukraine. Yeah, that's a lot, but you understand what I'm getting at. The ultimate goal is just understanding what is the threat and what is the risk to your organization.

Speaker 1: 20:12 

Okay, so, as we follow along with the additional key practices, one of the things is mitigation strategies. Do you have a good mitigation strategy, suppliers to adhere to these various security standards and do you employ redundancy by diversifying your suppliers for critical components, basically meaning that you don't buy all your critical components from one supplier. You may buy them from various other suppliers so that, if one goes down, you still have the ability to get what you need. That isn't always the case. Sometimes you have a supplier of one, and so therefore, it behooves you to work in conjunction and partnership with the supplier, especially if it's critical for your company and your organization. Critical or continuous monitoring. Another factor is you want to have automated systems to monitor supply performance and detect anomalies. Automated systems to monitor supply performance and detect anomalies yeah, problems, supposedly it's something to detect problems in real time. It's an important factor, right? You want to have some way of monitoring what's going on within your organization.

Speaker 1: 21:17 

You want to conduct periodic reviews of your contracts. Yes, I've seen this too many times where you had a contract or managed service or master service agreement that's been in place with multiple people, and in there you didn't have any language about cybersecurity. But the master service agreement that's been in place with multiple people and in there you didn't have any language about cybersecurity, but the master service agreement just keeps going and going and going and guess what? Then they get breached and you go to your MSA going, ha-ha, I'm going to pull my MSA out and show how vulnerable they are. They didn't have their cyber insurance, they didn't do this, they didn't do that. And you go to it and it says nothing about cybersecurity and guess what? Or the protection of your data, and then now you are up the creek without a paddle. So, yes, that is an important part Conduct periodic reviews of supplier contracts in compliance with the security requirements. Again, understand the contracts that you have in place and then update risk profiles on changes based on the specific landscape. It's an important part of understanding what's going on within your organization and within your business.

Speaker 1: 22:10 

Some tools that might be available to you you want frameworks and standards, right, you want to focus on these frameworks and these standards and you're going to go okay, more paperwork. I get it. Yeah. So there's a special publication 800-161, and this is a comprehensive guide to understanding SCRM and you want to look at it. It will walk you through this process. Now, it may be a little confusing and you can one work your way through it, or you can hire a consultant. There's other different ways to help you with that, but then you also can integrate the principles that are in the NIST cybersecurity framework or the CSF. So this deals with identity, protect, identify, protect, detect, respond and recover.

Speaker 1: 22:48 

Now the point of all this is is just that there are tools out there to help you build your own program. If you don't have one in place, look at these. If you don't want to pay for someone to do it for you, there's plenty of things out there free services that can help you do this, and by using ChatGPT, it can probably even help you, give you a good understanding of how to build one out, how to set it up. So I'd highly recommend that you use these resources for you. You also want to make sure it aligns with additional standards like the ISO or IEC 2736, which is for information security, for supplier relationships, and it'll kind of bring up some different questions that you may want to ask your suppliers as you're moving forward.

Speaker 1: 23:26 

Some other tools you may want to consider is, again, supply chain mapping tools to visualize supplier relationships and potential dependencies, and this can be done in a lot of different ways. One it can be done with a very Gucci tool that you pay a lot of money for. It can be done with a spreadsheet. A lot of it just really comes into how many relationships do you have and how big of an organization do you have? Adopt risk management software to track, score, prioritize risks and so forth Again, another great tool.

Speaker 1: 23:51 

But I've used spreadsheets as well. You have to decide if you want to have a, and I would recommend, if you have never done anything like this, maybe start off small with a spreadsheet. Start off with the ability just to kind of start documenting some of these things and then, as you get deeper into it and realize, okay, this is a much bigger animal than I had anticipated then purchase these different types of software to help you make your process a bit easier. You want to implement continuous vulnerability scanning for software and hardware within the supply chain, and what that basically also means is that if you have software or hardware that is tied to your supply chain, that you scan them regularly. And then also making sure that you have good business continuity and disaster recovery plans for these systems, especially if they're critical. You need to make sure you have a resiliency built into this. It's a very important part.

Speaker 1: 24:38 

Now some roadmap when you're dealing with overall SCRM maturity. You have your short-term, mid-term and long-term objectives, your short-term actions. This would be conduct initial risk assessment, like we mentioned earlier, on high-impact suppliers and assets. You want to establish a baseline inventory of all of your supply chain components and their criticality. Now, if you can't do this and you're like, oh my gosh, this is way too much, I can't do it, fine, that's okay, not a big deal, because at the end of the day, as long as you don't have some regulator breathing down your neck, you have time right Until you get hacked. Then you don't have time, but let's just say hypothetically, you're not getting hacked anytime in your future.

Speaker 1: 25:12 

Do a baseline of some of your most critical components within your company. Start there, and if you know they're critical, then they're critical. If they're like, yeah, maybe, then you might want to consider putting it down or maybe not, but at the end of the day, focus specifically on your most critical pieces of components within your organization. Develop a communication protocols for supply chain incidents Ah, yes, do recommend this. I worked with legal on this, especially when I had third parties that would reach out to me. How would you engage them from a legal perspective, what is the language and how would your lawyers draft that up to them and we would say we preempted this, sending this to all of our suppliers going hey, by the way, if this happens, x, y and Z, please let us know. Also, if you'd let us know, we can also help save. The fact is that if you don't let us know, then it gets really ugly when it comes to litigation. Yeah, all those things and that's an important part you want to develop that have it done.

Speaker 1: 26:07 

Next, midterm goals, again, within the short term do that within the next I would say, the next month to three months. Get that done. Midterm goals within the next six months to a year. Formalize a vendor management program with clear security requirements. Deploy tools for continuous monitoring and incident response, which may take longer than six months. Enhance collaboration with suppliers to unalign shared security goals. Again, working with them to help you, to help them, to help you. That's the goal and that may take a little while and it may take some education, but you know what you can do is you can bring them over. You can send them this deck or actually send them this video and show it to them. Say, hey, check this out and they see what you think, because at the end of it, when they listen to it. They go well, maybe that's a good idea, they might not, and that's okay, that's on them. But uh, yeah, just kind of see how that plays out.

Speaker 1: 26:54 

Long-term objectives they need to fully integrate this into the enterprise risk management process. Depending on the size of your organization, you may have this, you may not, but you want to build something out. You want to establish a culture of security awareness across all levels of the supply chain, both internal and external to your organization. Let them know that, houston, we have a problem and that they could be help fix the problem or they could help be part of the problem. You need to have them understand this overall plan.

Speaker 1: 27:20 

Continuously adapt the program to address your emerging threats and any sort of regulatory requirements that may be in your future or something you have to deal with. So, as we break this down, what does this mean? Okay, so the key takeaways is that a proactive supply chain risk management program is essential. Highlight, underline all that bold yes, it's essential for protecting against any sort of cybersecurity threats and or disruptions Doesn't mean it won't. Even if you have this, doesn't mean you're going to come unscathed right, you still may get in trouble with it, but, that being said, you have a much better time to be able to recover quickly with the least amount of disruption to your organization if you have these things in place. Also, collaboration across internal teams with external suppliers is critical for the program's success.

Speaker 1: 28:06 

Again, you got to talk Most IT folks. They don't like to talk to anybody. They don't, they don't want to do it. They just like to sit in their corner, eat their pizza and hit program, do whatever they're going to do. They don't want to talk. Well, for this to work, you got to talk. And so, if you are listening to this and you're a business owner, get with your IT teams and say, okay, we need to talk and we need to figure this out, and I'm here to help you, but at the end of the day, it's your responsibility or somebody else within your organization. Tag somebody. That's their responsibility.

Speaker 1: 28:32 

The next steps would be beginning with the foundational steps, like building awareness and conducting risk assessments. Next steps leverage the guidelines out of NIST to create a structured approach to SCRM and then continuously refine and mature the program through an ongoing assessments and updates. Again, have a program in place to do this. Give up zero to three months. Then you have three to six months, six months to a year and then a year on. Those are kind of the plans you need to look at.

Speaker 1: 28:58 

If you don't have the resources within your organization, google it. If you use ChatGPT, watch videos. If you can't, if none of that works for you, hire a consultant to help you build it. But Watch videos. If none of that works for you, hire a consultant to help you build it. But even if a consultant helps you build it, at the end of all of that you've got to make sure that you implement and you put into practice what they're recommending that you do.

Speaker 1: 29:16 

Okay, see, there's just some of the references for this little chat we had here today, but I hope you like it. Go to ReduceCyberRiskcom, check it out. I've got some free stuff out there for you as well. You also, if you have employees that need to be trained, you can go to CISSP Cyber Training and there's training for the CISSP for some of your IT folks and it's great opportunities for you there as well. If you need consulting services, reach out to me at CISSP Cyber, or I should say, reducecyberriskcom, and I'm happy to help you out with that as well. All right, I hope you all.