In this episode, we discuss digital supply chain governance and compliance, featuring Josh Marpet from Guarded Risk, hosted by Paul Asadoorian and Allan Alford. Specifically, we discuss:

• The importance of understanding and complying with regulations affecting digital supply chains, such as Executive Order 14028 and the NIST Cybersecurity Framework.
• The podcast highlighted the impact of EU regulations, like CRA, GDPR, and DORA, on global businesses, underscoring the shared responsibility model in data security.
• Vendors' duties in open-source security and software vulnerability management were discussed, with a call for automation in software inventory and security, including the use of SBOMs.
• The conversation included strategies for effective supply chain risk management, advising regular updates, and understanding the interconnectedness of vulnerabilities.
• International compliance, particularly with EU data security laws, presents operational challenges and necessitates robust cybersecurity measures.
• Proactive vendor communication and automated processes are crucial for managing cybersecurity threats efficiently.

• Continuous risk assessment is preferred over periodic checks, with an emphasis on a nuanced approach to cybersecurity risk management.

• (00:00) - Digital Supply Chain Governance Compliance

• (14:08) - EU Regulations on Data Security

• (21:38) - Responsibility of Vendors in Open Source

• (27:49) - Supply Chain Risk Management Program Advice

• (39:01) - Automating Software Inventory and Security

This segment is sponsored by Eclypsium. Visit https://securityweekly.com/eclypsium to learn more!

Show Notes: https://securityweekly.com/bts-27