NTT announced at the Munich Security Conference that it has joined the Charter of Trust (CoT). Created in 2018 by Siemens, the CoT is an initiative designed to create effective cybersecurity as a collective approach rather than the fragmented, single vendor approach that currently dominates the cybersecurity market. The CoT has a set of principles that are underpinned by Security by Default and it wants to see common standards to implement that.
Kai Grunwitz, CEO of NTT Ltd in Germany said: “It makes us proud to be accepted into the selected circle of the Charter of Trust. We have always been a company that actively shapes digitization.
“This global and cross-industry initiative shares our conviction that digitization can create a better future and make a sustainable contribution to solving social challenges. In addition, cybersecurity is a decisive pillar for digitalization, as it creates the necessary trust.
“As a member of the Charter of Trust, we are committed to contributing to global cybersecurity, both through our own secure ICT services and through cooperation with international partners”.
What are the objectives and principles of the Charter of Trust
The Charter of Trust has set out three core objectives:
- Protect the data of individuals and companies.
- Prevent damage to people, companies and infrastructures.
- Create a reliable foundation on which confidence in a networked, digital world can take root and grow.
These are all reasonable goals for any company not just technology vendors. They are also a good foundation for the cybersecurity message that the CoT members are pushing. That message is better explained in the 10 principles that all members agree to.
What is of more interest is the work that is going into the development of the supply chain security. According to the latest release, there are now: “17 concrete baseline requirements with which they [the members] can increase the security of their supply chains.”
Siemens is already deploying these baseline requirements. It is using the requirements to improve safety critical components including software, processes and electronic components. This is not an optional programme. It expects existing suppliers to adopt these requirements. It will be interesting to see how quickly the rest of the CoT group start to put the same demands on their suppliers.
Cybersecurity training a must
There is also a significant focus on training for all CoT partners. This is not just about training their own staff but making sure that training includes all small to medium-sized enterprises (SMEs). The question is how will this work?
UK analyst firm Synonym Advisory commented: “The call for large enterprises to train and improve cybersecurity for their supply chain is nothing new. Large vendors such as HPE and IBM like to talk about how they hear customers asking how to do this. However, neither of them can show any evidence that customers are really looking to push training into their supply chains.
“If large companies continue to ignore their supply chain security they will continue to be breached. It is far easier to attack an SME and use that as a launch pad to hit a large enterprise than target the large enterprise itself. The requirements that the Charter of Trust are placing on their supply chain need to be backed with positive action.
“What do we mean by positive action? Audits, onsite visits, opening up cybersecurity training to help partners, have a roving cybersecurity team that can visit partners to advise them. These are all proactive steps rather than issuing dictates’ and assuming they will be complied with.”
What is in this for NTT?
NTT stands to benefit from its involvement in the CoT. It can use the principles to help secure its own supply chains which are global in nature. Like Siemens, it has a lot of SME suppliers in its global supply chain and they touch its entire business. Being able to improve security will be seen as a business need and a potential differentiator from the competition.
NTT has its own managed security offering that is housed inside its global data centres. It can offer services and support to SMEs who are part of its supply chain. This is a proactive step as it has a vested interest in the security of those businesses.
In addition, the company has an active approach to training its own staff. As Mihoko Matsubara told Enterprise Times last year: “NTT CEO Hiroo Unoura set a goal to increase the number of cyber security professionals from 2,500 to 10,000 over six years in 2014.”
The company continues to run security training that encompasses the entire company from the board downwards. There is no reason why it couldn’t widen that to its own supply chain and even take the lead at the CoT in developing a supply chain training programme.
Enterprise Times: What does this mean?
Vendors getting together to form another industry body is pretty common. Vendors creating a body that is actively delivering on what it claims is less so. The goals and principles of the Charter of Trust are clear and achievable. It is investing in expanding and delivering them at a wider level. More importantly, its members are then using them to develop their own businesses.
NTT joining the CoT makes sense. It has the same challenges as Siemens and several of the other members. It can gain from learning from them and implementing the principles. Importantly, it also brings a lot to the CoT. Its experience with training the entire company and making that training work is something of a rarity in IT. The question is will it be the first CoT member to extend that training to its supply chain?
There are now 17 members and associate members of the CoT. It will be interesting to see how much it develops over the next year and who will join next.
