Issue link: https://iconnect007.uberflip.com/i/1088168
72 SMT007 MAGAZINE I MARCH 2019 sider if we're in an industry is that no regula- tion that says I shouldn't test third-party hard- ware or software or vet my vendors, so I'm not going to do that." If that's the posture we're taking, we're doomed. The thing that I've tried to advocate for is you have to look at this from a risk perspective, and compliance risk is just one input to that risk. When we're looking at supply chain now, I use that as the example of we've had eight years waiting for the standard to be in place, and yet people have neglected supply chain management because they didn't understand the risk associated. Johnson: So, eight years of exploitation. Humphreys: Exactly, and who knows what has happened. Again, the hard sell to executives and C-level folks is saying, "Do more than compliance," when there's a punitive component in the electric utility industry that says we just want to be compliant because it's a million dollars a day for the penalty. That scares people to death to just be- ing compliant, and they don't want to do any more than that. But when I say, "The cost you're going to incur later to catch up to these standards and react to it is go- ing to be far more costly than if had you mitigated that at the beginning and had the foresight to say, "I need to incorporate this as part of my risk. Supply chain management is something that I identify as a risk and a benefit to my organization regardless of any regula- tory mandate." Johnson: As an aside, just to stick this in par- enthetically, based on what you've been do- ing, how much work do you do with ITAR for example? Humphreys: Probably 25–30% of my work is mapping the regulatory requirements that deal with my other clients to ITAR standards, which is another thing that I specialize in. My clients will have multiple regulations that they have to deal with, but they're all asking the same thing, so I design their consolidated controls framework where I say, "Here's one control that fits many regulations versus siloing off the regulatory programs and designing processes around that. If I say there's an ITAR require- ment that fits this NERC CIP one, let's lever- age this. If there's a NIST requirement, let's leverage this." Overall, I aim to make a holistic controls framework for that organization that says, "You have a one-to-many control to sat- isfy multiple regulations, and ITAR is one of those inputs that I look at." Johnson: For my readers, that tends to be the big element. Humphreys: Absolutely. But like segregation of duties, network partitioning, data in tran- sit and in rest, and all those things with newer frameworks are deriv- atives of NIST anyway. My foun- dation to any program is going to be based on NIST, and I roll everything else up to that be- cause for any of these regulato- ry things—even international- ly—you will see they cited some NIST guide as the basis for it. So, being able to digest that and parse that out to make it tangible based on the size and economy of scale of the en- tity is kind of where my niche is. You're going to overwhelm people with some small co-op utility out in the middle of nowhere if you tell them, "You need to implement this full NIST program." They will respond, "You're crazy. We can't even spell that." But there's no reason why you can't make a program that's palatable and tangible to meet their risk model from a security perspective. Johnson: That's great. Let's walk through that as an example. Imagine I have an electronics manufacturing facility doing $15 million a year with an active customer list in the significant four-digits; some customers require ITAR capa- bilities, and others don't. It's project-by-project deal whether it's ITAR-compliant or not. Most