James: 0:09

Right. Welcome to the second trial experimental episode of The Boring On Walking the Talk in Security podcast. I'm the same host as last time, James Bore This is same guest as last time, Chris Bore Hi. And this time we're going to be talking about a topic that's come up in discussions quite a lot recently at various conferences I've spoken at. Uh, on supply chain, supply, sec chain, security and

Chris: 0:36

trust. Yeah. Not just in conferences. I think everybody's talking about it at the moment, aren't they? So, so if you've got a supplier relationship set up, and I can give you an anecdote on this from our own family business.'cause years ago we had a supplier who we'd worked with quite a lot for a software package and, um, we weren't the sole supplier and they. They changed that supply chain to introduce an intermediary, and the intermediary was also someone we'd worked with and trusted. We weren't that happy about it, but there was a question of the discounts that were afforded and whether we should be given a discount by the new intermediary, and I was told that we couldn't because they did not receive discount from the original supplier. It's complicated. I know. But when we opened the first package that came to us, we found an invoice, which showed that they'd lied. Now, the interesting thing in this is that we depended on them for a large part of our income. They depended on us for most of their UK sales, but I made the decision. That we would never deal with them again, ever. And we stuck to that and took a financial hit for it. And the interesting thing I think, is that if you have a problem in your supply chain, you're building a relationship that's supposed to be a relationship of trust that lasts. If that trust is breached, if there's a betrayal, it may not be the most sensible response to completely walk away from it, but. We are people, we're human beings. And we did, and I'm just interested in what your thoughts on that are, because you know, you now run the family business. If you feel that one of your suppliers is untrustworthy, do you go with the human response of, I'm walking away from this and I'm taking all the damage that comes from it? Or is there a more mature response that would be better and more pragmatic?

James: 2:43

So it's a difficult one because one of the things about security that people often miss is it's sort of based on trust, but actually security controls are about controlling for lack of trust. So they are about what you do when you can't trust, how you maintain a relationship, how you maintain a supply chain, when you can't simply take the parties involved at their word, you know you have toward it. You have to. Do your due diligence. You have to check. You have to monitor things, which increases expense, does all sorts of other things, and they can always lie to you through that. We've had that plenty of times with due diligence checks. We've seen people filling in false reports. We've seen most of the major audit companies and across the world find on a regular basis for ethical preachers. Yes. So we know that in the absence of trust, things go very wrong quite dramatically.

Chris: 3:45

So part of that is to establish the trust in the first place. Now, when we first started dealing with companies in Japan, it was pointed out to me very carefully that the first few meetings with Japanese potential colleagues, which seem to go nowhere. We talk about inconsequential things, well. Not in consequential things. You know, how is your wife, how was your children? Where did you go on holiday? All sorts of small talk. And you would do that for like three meetings and then suddenly bang, you'd begin to business. And it was explained to me that those people were seeing if they trusted you first. Now, I also worked with Americans and they're topical at the moment because my experience with them is that they would. Quite often, well always, in every case I worked with them, they would just go in like a bull, in a shiner shop. You know, what are our outcomes from this meeting? You know, what are we gonna agree on? What are your red lines? And this was like the first approach. And that wasn't building trust. That was, I suppose it was like ignoring it. And I enjoyed the Japanese style because it seemed like an older fashioned English style where you would know people and who they were and meet with them socially to some extent. And so you felt you could do business with them, but. We weren't very formal about it, you know, so there are flaws in that, because I can be completely misled because I like somebody or get on well with them. That's the old boy network and it doesn't work. But, so we need something much more formal than that, don't we? Supply chain management due diligence. Actually verifying and checks and balances and consequences, I suppose.

James: 5:23

Yeah, so that's, that is the whole supply chain security. It's this mix of the informal getting to know someone, you know, can you trust them to keep their word and well, I can't trust them that far. And really that applies when you're doing personnel security or anything else. It's not just cyber or technological. What, but it is a really difficult problem to solve. I mean, running a family business, we've got a fairly strong and reliable presumption that yeah, we can trust each other to have our general best interests at heart. Not to try to screw each other over, but. If you look at some family businesses and you see it's completely different within fighting. There's a popular series called Succession, which is based on a certain media empire and the trophe there, and it is just really difficult to deal with. The thing is though, let's go back to your first example where you were talking about that example of a supplier who clearly preached trust. And you then decided, no, we're severing all contact. Here's an important thing, when you have a link in the chain who has shown that they are unreliable, that they are actively malicious or actively self-interested, and their interest do not align with yours. At that point, severing links is often the best thing to do because you will always be doubting them from then on. And the amount of checks you have to do to be certain yes, are ridiculous. You've got diminishing returns. You can constantly put more security in. Yeah. But you will rapidly run out of time and effort and money before. You establish? Yeah, I can really trust you. All due diligence is about am I reasonably sure? The moment someone's gone, you cannot be sure of me. Due diligence is meaningless. You know that they will lie. You know that they will cheat. They know that they, you know that they will deceive you, and that breaks the whole model.

Chris: 7:35

And so. I've been involved quite a lot in due diligence on the technical side where essentially you are brought in to judge on the viability of a technology, and it's usually in like a startup phase so that there's investors coming on board and they want to know if their investment is actually valid, what that is. Something's unhappy and the wildlife is around and. I've always found that quite interesting because inevitably that is also based on trust usually for someone like me. So it's like the investor is saying to me, do I trust you? How can I trust you to be the trustworthy link? And it's like a sort of endless chain, isn't it? Which brings me to a question which isn't directly related, and I think I know the answer to this, and that is things like the blockchain. Yeah. So a chain of trust is, I trust you and I've built that. And then there's a, there's a whole line of these things, which we've probably audited informally or formally. But blockchain isn't quite like that, is it?

James: 8:40

No. And when I was helping to build the curriculum cap lock, one of the things I really wanted to get in there, which was in the early curriculum, was about the different trust architectures you can have. So there's web of trust. Which is very much word of mouth, old boys network. It's, I trust them because you trust them and I trust you. There's the more hierarchical model, which is I trust them because the big boss says to, ah, yeah, yes. Or because the big boss says to trust this big boss here, and that big boss says too. And then there's things like blockchain, which is, it's an interesting one because something like blockchain, you trust them. Because the general consensus of the people who own the infrastructure or own the assets that are recorded by that blockchain and that process, it have agreed that that's what happened. Because really it is this whole idea of public ledger. So it's a public audit record of what happened, what transactions happened, who owns an asset, or which address owns an asset.

Chris: 9:52

So audit trails are one of my favorite things. It's like from my metrology career, if there isn't an audit trail, it's not a measurement. So that's where I'm calibrating, you know, I, I'm, I've got an instrument, I want to know when it was calibrated, who buy what equipment it was calibrated against. And I want that recorded all the way back. You know, so for example, if it's measuring distance, one of the things I built was called a distant var. Very accurate measurement of a half meter using a platinum meridium cable. And that was calibrated against a standard meter rule that was kept in temperature controlled conditions. And that was calibrated each year by being transported then back to Paris to be checked against theirs. And that was the process that was gone through. But there was also a trail. So you needed to have that all recorded. And now we've moved into a more regulated environment where we audit things like your supplier trail, don't we? You don't just accept it on the basis of Chris says he's a good guy. You want to go back and say, well, how was this done? What was this done? But in a way, not many of those things are to do with trust. Are they? They're to do with. Being able to prove that you actually implement processes and procedures. They're, and I don't necessarily trust you. Well, they're, they're an alternative

James: 11:11

to trust. If I, if I actually trusted you, if I felt I could trust you fully, then I don't necessarily need to do those things to the same degree. Now, it doesn't mean because I'm doing them, I don't trust you, but it does mean I don't need to. So there is a balance between the two. There is still trust involved. But it reduces the level, and that's particularly useful when you don't know all of the parties involved. But having said that, with this audit trail, yes, in theory we audit suppliers. In theory, we do all of these checks, all of these compliances. You know, we look at regulations in practice. We know that that doesn't happen or isn't effective. We know that these are often. Deceived that they are often fooled, ignored. You know, I've, I've known people who will quite happily lie on a security due due diligence questionnaire. I've been put in a position before where I ended up leaving a job because my choices were either leave or lie on A-P-C-I-D-S-S complaints questionnaire, a self-assessment one, and I'm sure that whoever came along to replace me did lie on it. Yes. But it's one of those things where there's, there's a limit to what you can do, and when you are trying to replace fundamental trust with these things, that, that gets extremely dangerous.

Chris: 12:44

Yes. And it, I feel it's difficult because I, I suspect it's an impossible problem because at the end of it are eventually people and you have to be able to trust. Individuals. You can't trust a company. You'll have to trust an actual person. I think, I mean, that might sound a bit old fashioned perhaps, but it has to go back to somewhere where you've established it and convinced yourself of it. I'm not quite sure how it can be proven. You could look at a track record, so if you have a supplier or an NRI who then. It betrays you, for example. Yeah. Someone's critical to your supply chain. They're providing you with critical manufacturing equipment and then for some reason they decline to service that or to allow you spare parts or to, you know, so, so in a sense they've got you over a barrel and they try to exploit that either just to harm you or to extort from you. And you can see that could happen, but I don't see how. A procedure being proven in the past can prevent that happening because some, you know, the company could always change their actual procedure, their actual policy, couldn't they? And some, at some point you have to be able to say, yes, we've audited you, we've checked it all up. But that's like proving you're not a criminal, but then all you're doing is at some point someone takes over who is,

James: 14:10

yeah, there's, there's always the possibility of someone acting in bad faith. And this is another of the problems that comes in.'cause people do. I mean, supply due diligence is very flawed anyway. The average supply due diligence is little more than a 200 page questionnaire or 200 question Excel spreadsheet. Yeah. And that, that doesn't tell you much. So we've already got a problem there. But then you add to that, that that's sent once a year. Well, a lot changes in a year. And if the person who's doing it is their quality or test manager who actually does everything by the book, works really hard to get it right and they move on in that year, and they're replaced by someone who, let's say, doesn't have the same competency, let alone is malevolent, but is not necessarily as competent. How do you pick that up? And the answer is you. You often don't. So there is just this. A presumption that you have to work with to operate in a world where we've got these very complex supply chains, you have to just say, well, I hope it's good enough and I'm going to have to trust them, otherwise I can't do anything. Right. It shouldn't be that way. And there are ways to improve it, but you need everyone to sign up to them. And when we're talking about due diligence, a lot of it now is done with. Tools which are sold to make your due diligence easy, right? So they de-skill it. And the people you want doing audit, the people you want doing due diligence are the people who are good at audit and due diligence and interviewing and picking up that, that doesn't sound quite right and understand the process. Yes. Okay. But the people who are now put in place to do it, yes. Often aren't people with that expertise. And it's a huge problem. I don't know how to fix, I mean, we do due diligence for people. Yes. Because we do have that expertise and we've, we've picked up some quite shocking things.

Chris: 16:17

It's um, I think it's a personal thing again. So I've watched your sister, my daughter running audits and they're usually like a friendly audit to help a company establish, and there's something to do with the way that it's being done. She's very good at it. Much better than I am.'cause she's will kindly ask a question and note the answer to that and move on. And maybe she moves on in a particular direction because of the answer that I got. I've seen a few times where I think, oh my God, really? You, they really failed on that one, didn't they? And she doesn't actually go, wow, okay, let's pursue that because you failed. But it's being noted down. And for those suppliers, it's really a. You know, in those cases that I've seen it where we're trying to help them to grow so that they know that this is the correct response or better that yes, you don't know, and therefore you should train yourselves or learn or implement something, you know, more, more robust. But again, I could see that you could easily go through that as a tick box exercise. You know, you've answered all these questions and I didn't note down that at that point you all went essentially. With your body language. Oh God, we don't do this. So it's, it's comes back to a lot of judgment, doesn't it? Which disturbs me a little bit.'cause I sort of felt as time has gone on, that we've moved away from a world where it was all based on people knowing each other. Small, small businesses knowing each other, a handshake, a gentleman's word, and so on. Which literally is the world in which I first started and. Into a world where it was more regulated, you know, the regulatory imposes certain standards and then we audit against those standards and check them, but at the end of it, that audit isn't necessarily all that useful, is it?

James: 18:11

No. I mean, take cyber essentials. Cyber essentials is not, I wouldn't call it bad. It's more complicated than that. It is useful for what it was designed. Four, which was to be a bare minimum. Now, on top of that, it's a self-assessment questionnaire, which isn't tested against unless you do cyber essentials. Plus, yes, it's fairly prescriptive and prescriptive security is always a bugbear of mine anyway, but we'll ignore that. It's, it's better than nothing. Hmm. But you've got a lot of cases where companies are going, oh, they've got cyber essentials. That means we can trust their security with our most sensitive information. Yes. Well, in actual fact, they've got cyber essentials. So what that tells you is they've got a bare minimum. It doesn't tell you anything else. It doesn't tell you about how resilient they are. It doesn't tell you anything about the quality of their services, doesn't tell you anything about how they. Vet employees, right? It doesn't tell you any of the stuff, which actually is what will affect your supply chain. Yes.

Chris: 19:24

And I suppose in a way, I feel like I'm over egging it in a way, because I've sort of locked onto this idea that you can only trust a person and you know, ultimately it comes down to that we're talking about betrayal of trust. It has to be a person at the end of it, not a system or a computer or something, although. Components. Software architectures are an exact example where components will negotiate with each other according to the contract and whether they've been validated and verified and so on. But the breakdown in trust is quite high. Late stage failure, isn't it? If I'm working with a bunch of suppliers and we are working together to adhere to commonly agreed standards and having transparent audits and so on. Then actually that's a very healthy relationship. Mostly your problem comes when that starts to break down, and that's quite an extreme circumstance, isn't it? And hopefully, actually quite rare. So I'm focusing quite a lot on that. The, the audits, the due diligence. They are valid. And I agree with you about things like cyber essentials, but so long as you take it for what it is, yes, it's a perfectly valid measure. Yeah, it is a valid and useful measure. But if, if at some point somebody is tricking you on that, or worse has just changed personality or change leadership, then you can have a very severe problem. And that's the one that I think we're finding is. It doesn't have a readymade system based

James: 20:58

solution. Well, when you have the takeover of an entity that you have trusted in the past. Yes. Okay. And then very quickly, that takeover, that change in leadership leads to clear demonstration of unreliable behavior. Yes. You have to assume so it flags up something where you check it. Yeah. They are now unsafe. Yes. You have to find alternatives. You have to find ways around. You have to consider them. Yes, not as a risk, but actually actively as

Chris: 21:31

a threat. And so you need to go on, not necessarily a gut feel, but a personal feeling that something is wrong here. So that's what Jenny does in the audits. At that point, something happened that triggers her to think, yes. There's something here that's questionable and then you can bring that up later and check on it and see what's, yeah. Yeah. So ultimately, again, it comes back down to people, doesn't it? Yes. And it comes back down to the, the client being actually diligent. So me as the client, I have to be aware that these relationships matter, and therefore I need to not just nurture them, but also examine them and say, are we still. And

James: 22:13

trustworthy. A large part of the, the most fundamental problem with all of that, and I think this is probably a good point to finish, but it's that there's usually a massive imbalance of power. Ah, yes. You know when, if you look at the modern supply chain, you've got half a dozen companies who supply the vast majority of business software. Yes. Those companies. All sit under the same, largely sit under the same regulatory regime. Yes. Those companies have been demonstrated to have as their primary interest maximizing shareholder value. Yes. And if one of your suppliers is most interested in maximizing shareholder value Yes. They are not the optimum supplier for you. Yeah. So there's, there's a fundamental problem, and it is to do with the way the whole. Technology, technology ecosystem has built up. Yes. And I don't think it's easily solved or even solvable without some fairly radical changes.

Chris: 23:17

Yes. Well, so thank God this doesn't apply in international politics. Otherwise we'd really have been in trouble, wouldn't we? I

James: 23:23

think that's a good note to end it on.