Transcript of a Briefings Direct podcast on ways to address supply chain risk in the information technology sector marketplace.

1. Page 1
Securing Business Operations and Critical Infrastructure:
Trusted Technology, Procurement Paradigms, Cyber
Insurance
Transcript of a Briefings Direct discussion on ways to address supply chain risk in the
information technology sector marketplace.
Listen to the podcast. Find it on iTunes. Get the mobile app for iOS or Android.
Sponsor: The Open Group
Dana Gardner: Hello, and welcome to a special BriefingsDirect Thought Leadership Panel
Discussion, coming to you in conjunction with The Open Group's upcoming
conference on July 20, 2015 in Baltimore.
I'm Dana Gardner, Principal Analyst at Interarbor Solutions, and I'll be your host
and moderator as we explore ways to address supply chain risk in the information
technology sector market.
We'll specifically examine how The Open Group Trusted Technology Forum (OTTF) standards
and accreditation activities are enhancing the security of global supply chains and improving the
integrity of openly available IT products and components.
Attend The Open Group Baltimore 2015
July 20-23, 2015
Register Here
We'll also learn how the age-old practice of insurance is coming to bear on the problem of IT
supply-chain risk, and by leveraging insurance models, the specter of supply chain disruption
and security yields may be significantly reduced.
To update us on the work of the OTTF and explain the workings and benefits of supply-chain
insurance, we're joined by our panel of experts. Please join me in welcoming Sally Long,
Director of The Open Group Trusted Technology Forum. Welcome, Sally.
Sally Long: Thank you.
Gardner: We're also here with Andras Szakal, Vice President and Chief Technology Officer for
IBM U.S. Federal and Chairman of The Open Group Trusted Technology Forum. Welcome
back, Andras.
Andras Szakal: Thank you for having me.
Gardner

2. Page 2
Gardner: And Bob Dix joins us. He is Vice President of Global Government Affairs and Public
Policy for Juniper Networks and is a member of The Open Group Trusted Technology Forum.
Welcome, Bob.
Bob Dix: Thank you for the invitation. Glad to be here.
Gardner: Lastly, we are joined by Dan Reddy, Supply Chain
Assurance Specialist, college instructor and Lead of The Open Group
Trusted Technology Forum Global Outreach and Standards Harmonization Work Group. Thanks
for being with us, Dan.
Dan Reddy: Glad to be here, Dana.
Gardner: Sally, let’s start with you. Why don’t we just get a quick update on The Open Group
Trusted Technology Forum (OTTF) and the supply-chain accreditation process generally? What
has been going on?
OTTP standard
Long: For some of you who might not have heard of the O-TTPS, which is the standard, it’s
called The Open Trusted Technology Provider™ Standard. The effort started
with an initiative in 2009, a roundtable discussion with U.S. government and
several ICT vendors, on how to identify trustworthy commercial off-the-shelf
(COTS) information and communication technology (ICT), basically driven by
the fact that governments were moving away from high assurance customized
solution and more and more using COTS ICT.
That ad-hoc group formed under The OTTF and proceeded to deliver a standard and an
accreditation program.
The standard really provides a set of best practices to be used throughout the COTS ICT product
life cycle. That’s both during in-house development, as well as with outsourced development and
manufacturing, including the best practices to use for security in the supply chain, encompassing
all phases from design to disposal.
Just to bring you up to speed on just some of the milestones that we've had, we released our 1.0
version of the standard in 2013, launched our accreditation program to help assure conformance
to the standard in February 2014, and then in July, we released our 1.1 version of the standard.
We have now submitted that version to ISO for approval as a publicly available specification
(PAS) and it’s a fast track for ISO.
The PAS is a process for adopting standards developed in other standards development
organizations (SDOs), and the O-TTPS has passed the draft ISO ballot. Now, it’s coming up for
final ballot.
Long

3. Page 3
That should bring folks up to speed, Dana, and let them know where we are today.
Gardner: Is there anything in particular at The Open Group Conference in Baltimore, coming
up in July, that pertains to these activities? Is this something that’s going to be more than just
discussed? Is there something of a milestone nature here too?
Long: Monday, July 20, is the Cyber Security Day of the Baltimore Conference. We're going to
be meeting in the plenary with many of the U.S. government officials from NIST, GSA, and the
Department of Homeland Security. So there is going to be a big plenary discussion on cyber
security and supply chain.
We'll also be meeting separately as a member forum, but the whole open track on Monday will
be devoted to cyber security and supply chain security.
The one milestone that might coincide is that we're publishing our Chinese translation version of
the standard 1.1 and we might be announcing that then. I think that’s about it, Dana.
OTTF background
Gardner: Andras, for the benefit of our listeners and readers who might be new to this
concept, perhaps you could fill us in on the background on the types of problems that OTTF and
the initiatives and standards are designed to solve. What’s the problem that we need to address
here?
Szakal: That’s a great question. We realized, over the last 5 to 10 years, that the traditional
supply-chain management practices, supply-chain integrity practices, where we
were ensuring the integrity of the delivery of a product to the end customer,
ensuring that it wasn't tampered with, effectively managing our suppliers to ensure
they provided us with quality components really had expanded as a result of the
adoption of technology and the pervasive growth of technology in all aspects of
manufacturing, but especially as IT has expanded into the Internet of Things,
critical infrastructure and mobile technologies, and now obviously cloud and big data.
And as we manufacture those IT products we have to recognize that now we're in a global
environment, and manufacturing and sourcing of components occurs worldwide. In some cases,
some of these components are even open source or freely available. We're concerned, obviously,
about the lineage, but also the practices of how these products are manufactured from a secure
engineering perspective, as well as the supply-chain integrity and supply-chain security
practices.
What we've recognized here is that the traditional life cycle of supply-chain security and integrity
has expanded to include all the way down to the design aspects of the product through
sustainment and managing that product over a period of time, from cradle to grave, and disposal
of the product to ensure that those components, if they were hardware-based, don't actually end
up recycled in a way that they pose a threat to our customers.
Szakal

4. Page 4
Gardner: So it’s as much a lifecycle as it is a procurement issue.
Szakal: Absolutely. When you talk about procurement, you're talking about lifecycle and about
mitigating risks to those two different aspects from sourcing and from manufacturing.
So from the customer's perspective, they need to be considering how they actually apply
techniques to ensure that they are sourcing from authorized channels, that they are also applying
the same techniques that we use for secure engineering when they are doing the integration of
their IT infrastructure.
But from a development perspective, it’s ensuring that we're applying secure engineering
techniques, that we have a well-defined baseline for our life cycle, and that we're controlling our
assets effectively. We understand who our partners are and we're able to score them and ensure
that we're tracking their integrity and that we're applying new techniques around secure
engineering, like threat analysis and risk analysis to the supply chain.
We're understanding the current risk landscape and applying techniques like vulnerability
analysis and runtime protection techniques that would allow us to mitigate many of these risks as
we build out our products and manufacture them.
It goes all the way through sustainment. You probably recognize now, most people would, that
your products are no longer a shrink-wrap product that you get, install, and it lives for a year or
two before you update it. It’s constantly being updated. So to ensure that the integrity and
delivery of that update is consistent with the principles that we are trying to espouse is also really
important.
Collaborative effort
Gardner: And to that point, no product stands alone. It’s really a result of a collaborative
effort, very complex number of systems coming together. Not only are standards necessary, but
cooperation among all those players in that ecosystem becomes necessary.
Dan Reddy, how have we done in terms of getting mutual assurance across a supply chain that
all the participants are willing to take part? It seems to me that, if there is a weak link, everyone
would benefit by shoring that up. So how do we go beyond the standards? How are we getting
cooperation, get all the parties interested in contributing and being part of this?
Reddy: First of all, it’s an evolutionary process, and we're still in the early days of fully
communicating what the best practices are, what the standards are, and getting
people to understand how that relates to their place in the supply chain.
Certainly, the supplier community would benefit by following some common
practices so they don’t wind up answering customized survey questions from all
of their customers.Reddy

5. Page 5
That's what's happening today. It's pretty much a one-off situation, where each customer says, "I
need to protect my supply chain. Let me go find out what all of my suppliers are doing." The real
benefit here is to have the common language of the requirements in our standard and a way to
measure it.
So there should be an incentive for the suppliers to take a look at that and say, "I'm tired of
answering these individual survey questions. Maybe if I just document my best practices, I can
avoid some of the effort that goes along with that individual approach."
Everyone needs to understand that value proposition across the supply chain. Part of what we're
trying to do with the Baltimore conference is to talk to some thought leaders and continue to get
the word out about the value proposition here.
Gardner: Bob Dix, the government in the U.S., and of course across the globe, all the
governments, are major purchasers of technology and also have a great stake in security and low
risk. What’s been driving some of the government activities? Of course, they're also interested in
using off-the-shelf technology and cutting costs. So what’s the role that governments can play in
driving some of these activities around the OTTF?
Risk management
Dix: This issue of supply chain assurance and cyber security is all about risk management, and
it's a shared responsibility. For too long I think that the government has had a tendency to want
to point a finger at the private sector as not sufficiently attending to this matter.
The fact is, Dana, that many in the private sector make substantial investments in
their product integrity program, as Andras was talking about, from product
conception, to delivery, to disposal. What’s really important is that when that
investment is made and when companies apply the standard the OTTF has put
forward, it’s incumbent upon the government to do their part in purchasing from
authorized and trusted sources.
In today's world, we still have a culture that's pervasive across the government acquisition
community, where decision-making on procurements is often driven by cost and schedule, and
product authenticity, assurance, and security are not necessarily a part of that equation. It’s
driven in many cases by budgets and other considerations, but nonetheless, we must change that
culture to focus to include authenticity and assurance as a part of the decision making process.
The result of focusing on cost and schedule is often those acquisitions are made from untrusted
and unauthorized sources, which raises the risk of acquiring counterfeit, tainted, or even
malicious equipment.
Part of the work of the OTTF is to present to all stakeholders, in industry and government alike,
that there is a process that can be uniform, as has been stated by Sally and Dan as well, that can
Dix

6. Page 6
be applied in an environment to raise the bar of authenticity, security, and assurance to improve
upon that risk management approach.
Gardner: Sally, we've talked about where you're standing in terms of some progress in your
development around these standards and activities. We've heard about the challenges and the
need for improvement.
Before we talk about this really interesting concept of insurance that would come to bear on
perhaps encouraging standardization and giving people more ways to reduce their risk and
adhere to best practices, what do you expect to see in a few years? If things go well and if this is
adopted widely and embraced in true good practices, what's the result? What do we expect to see
as an improvement?
What I am trying to get at here is that if there's a really interesting golden nugget to shoot for, a
golden ring to grab for, what is that we can accomplish by doing this well?
Powerful impact
Long: The most important and significant aspect of the accreditation program is when you look
at the holistic nature of the program and how it could have a very powerful impact if it's widely
adopted.
The idea of an accreditation program is that a provider gets accredited for conforming to the best
practices. A provider that can get accredited could be an integrator, an OEM, the component
suppliers of hardware and software that provide the components to the OEM, and the value-add
resellers and distributors.
Every important constituent in that supply chain could be accredited. So not only from a business
perspective is it important for governments and commercial customers to look on the
Accreditation Registry and see who has been accredited for the integrators they want to work
with or for the OEMs they want to work with, but it’s also important and beneficial for OEMs to
be able to look at that register and say, "These component suppliers are accredited. So I'll work
with them as business partners." It's the same for value-add resellers and distributors.
Attend The Open Group Baltimore 2015
July 20-23, 2015
Register Here
It builds in these real business-market incentives to make the concept work, and in the end, of
course, the ultimate goal of having a more secure supply chain and more products with integrity
will be achieved.
To me, that is one of the most important aspects that we can reach for, especially if we reach out
internationally. What we're starting to see internationally is that localized requirements are
cropping up in different countries. What that’s going to mean is that vendors need to meet those

7. Page 7
different requirements, increasing their cost, and sometimes even there will end up being trade
barriers.
Back to what Dan and Bob were saying, we need to look at this global standard and accreditation
program that already exists. It's not in development; we've been working on it for five years with
consensus from many, many of the major players in the industry and government. So urging
global adoption of what already exists and what could work holistically is really an important
objective for our next couple of years.
Gardner: It certainty sounds like a win, win, win if everyone can participate, have visibility, and
get designated as having followed through on those principles. But as you know and as you
mentioned, it’s the marketplace. Economics often drives business behavior. So in addition to a
standards process and the definitions being available, what is it about this notion of insurance
that might be a parallel market force that would help encourage better practices and ultimately
move more companies in this direction?
Let’s start with Dan. Explain to me how cyber insurance, as it pertains to the supply chain, would
work?
Early stages
Reddy: It’s an interesting question. The cyber insurance industry is still in the early stages,
even though it goes back to the '70s, where crime insurance started applying to outsiders gaining
physical access to computer systems. You didn't really see the advent of hacker insurance
policies until the late '90s. Then, starting in 2000, some of the first forms of cyber insurance
covering first and third party started to appear.
What we're seeing today is primarily related to the breaches that we hear about in the paper
everyday, where some organization has been comprised, and sensitive information, like credit
card information, is exposed for thousands of customers. The remediation is geared toward the
companies that have to pay the claim and sign people up for identity protection. It's pretty cut
and dried. That's the wave that the insurance industry is riding right now.
What I see is that as attacks get to be more sophisticated and potentially include attacks on the
supply chain, it’s going to represent a whole new area for cyber insurance. Having consistent
ways to address supplier-related risk, as well as the other infrastructure related risks that go
beyond simple data breach, is going to be where the marketplace has to make an adjustment.
Standardization is critical there.
Gardner: Andras, how does this work in conjunction with OTTF? Would insurance companies
begin their risk assessment by making sure that participants in the supply chain are already
adhering to your standards and seeking accreditation? Then, maybe they would have premiums
that would reflect the diligence that companies extend into their supply chains. Maybe you could
just explain to me, not just the insurance, but how it would work in conjunction with OTTF,
maybe to each’s mutual benefit.

8. Page 8
Szakal: You made a really great point earlier about the economic element that would drive
compliance. For us in IBM, the economic element is the ability to prove that we're providing the
right assurance that is being specified in the requests for proposals (RFPs), not only in the federal
sector, but outside the federal sector in critical infrastructure and finance. We continue to win
those opportunities, and that’s driven our compliance, as well as the government policy aspect
worldwide.
But from an insurance point of view, insurance comes in two forms. I buy policy insurance in a
case where there are risks that are out of my control, and I apply protective measures that are
under my control. So in the case of the supply chain, the OTTF is a set of practices that help you
gain control and lower the risk of threat in the manufacturing process.
The question is, do you buy a policy, and what’s the balance here between a cyber threat that is
in your control, and those aspects of supply chain security which are out of your control? This is
with the understanding that there is an infinite number of a resources or revenue that you can
apply to allocate to both of these aspects.
There's going to have to be a balance, and it really is going to be case by case, with respect to
customers and manufacturers, as to where the loss of potential intellectual property (IP) with
insurance, versus applying controls. Those resources are better applied where they actually have
control, versus that of policies that are protecting you against things that are out of your control.
For example, you might buy a policy for providing code to a third party, which has high value IP
to manufacture a component. You have to share that information with that third-party supplier to
actually manufacture that component as part of the overarching product, but with the realization
that if that third party is somehow hacked or intruded on and that IP is stolen, you have lost some
significant amount of value. That will be an area where insurance would be applicable.
What's working
Gardner: Bob Dix, if insurance comes to bear in conjunction with standards like what the
OTTF is developing in supply chain assurance, it seems to me that the insurance providers
themselves would be in a position of gathering information for their actuarial decisions and could
be a clearing house for what's working and what isn't working.
It would be in their best interest to then share that back into the marketplace in order to reduce
the risk. That’s a market-driven, data-driven approach that could benefit everyone. Do you see
the advent of insurance as a benefit or accelerant to improvement here?
Dix: It's a tool. This is a conversation that’s been going on in the community for quite some
time, the lack of actuarial data for catastrophic losses produced by cyber events, that is impacting
some of the rate setting and premium setting by insurance companies, and that has continued to
be a challenge.

9. Page 9
But from an incentive standpoint, it’s just like in your home. If you have an alarm system, if you
have a fence, if you do other kinds of protective measures, your insurance on your homeowners
or liability insurance may get a reduction in premium for those actions that you have taken.
As an incentive, the opportunity to have an insurance policy to either transfer or buy down risk
can be driven by the type of controls that you have in your environment. The standard that the
OTTF has put forward provides guidance about how best to accomplish that. So, there is an
opportunity to leverage, as an incentive, the reduction in premiums for insurance to transfer or
buy down risk.
Gardner: It’s interesting, Sally, that the insurance industry could benefit from OTTF, and by
having more insurance available in the marketplace, it could encourage more participation and
make the standard even more applicable and valuable. So it's interesting to see over time how
that plays out.
Any thoughts or comments on the relationship between what you are doing at OTTF and The
Open Group and what the private insurance industry is moving toward?
Long: I agree with what everyone has said. It's an up-and-coming field, and there is a lot more
focus on it. I hear at every conference I go to, there is a lot more research on cyber security
insurance. There is a place for the O-TTPS in terms of buying down risk, as Bob was
mentioning.
The other thing that's interesting is the NIST Cybersecurity Framework. That whole paradigm
started out with the fact that there would be incentives for those that followed the NIST
Cybersecurity Framework - that incentive piece became very hard to pull together, and still is.
To my knowledge, there are no incentives yet associated with it. But insurance was one of the
ideas they talked about for incentivizing adopters of the CSF.
The other thing that I think came out of one of the presentations that Dan and Larry Clinton will
be giving at our Baltimore Conference, is that insurers are looking for simplicity. They don’t
want to go into a client’s environment and have them prove that they are doing all of these things
required of them or filling out a long checklist.
That’s why, in terms of simplicity, asking for O-TTPS-accredited providers or lowering their
rates based on that - would be a very simplistic approach, but again not here yet. As Bob said, it's
been talked about a lot for a long time, but I think it is coming to the fore.
Market of interest
Gardner: Dan Reddy, back to you. When there is generally a large addressable market of
interest in a product or service, there often rises a commercial means to satisfy that. How can
enterprises, the people who are consuming these products, encourage acceptance of these
standards, perhaps push for a stronger insurance capability in the marketplace, or also get
involved with some of these standards and practices that we have been talking about?

10. Page 10
If you're a publicly traded company, you would want to reduce your exposure and be able to
claim accreditation and insurance as well. Let’s look at this from the perspective of the
enterprise. What should and could they be doing to improve on this?
Reddy: I want to link back to what Sally said about the NIST Cyber Security Framework.
What’s been very useful in publishing the Framework is that it gives enterprises a way to talk
about their overall operational risk in a consistent fashion.
I was at one of the workshops sponsored by NIST where enterprises that had adopted it talked
about what they were doing internally in their own enterprises in changing their practices,
improving their security, and using the language of the framework to address that.
Yet, when they talked about one aspect of their risk, their supplier risk, they were trying to send
the NIST Cybersecurity Framework risk questions to their suppliers, and those questions aren’t
really sufficient. They're interesting. You care about the enterprise of your supplier, but you
really care about the products of your supplier.
So one of the things that the OTTF did is look at the requirements in our standard related to
suppliers and link them specifically to the same operational areas that were included in the NIST
Cybersecurity Framework.
This gives the standard enterprise looking at risk, trying to do standard things, a way to use the
language of our requirements in the standard and the accreditation program as a form of
measurement to see how that aspect of supplier risk would be addressed.
But remember, cyber insurance is more than just the risk of suppliers. It’s the risk at the
enterprise level. But the attacks are going to change over time, and we'll go beyond the simple
breaches. That’s where the added complexity will be needed.
Gardner: Andras, any suggestions for how enterprises, suppliers, vendors, systems integrators,
and now, of course, the cloud services providers, should get involved? Where can they go for
more information? What can they do to become part of the solution on this?
International forum
Szakal: Well, they can always become a member of the Trusted Technology Forum, where we
have an international forum.
Gardner: I thought you might say that.
Szakal: That’s an obvious one, right? But there are a couple of places where you can go to learn
more about this challenge.

11. Page 11
One is certainly our website. Download the framework, which was a compendium of best
practices, which we gathered as a result of a lot of hard work of sharing in an open, penalty-free
environment all of the best practices that the major vendors are employing to mitigate risks to
counterfeit and maliciously tainted products, as well as other supply chain risks. I think that’s a
good start, understanding the standard.
Then, it's looking at how you might measure the standard against what your practices are
currently using the accreditation criteria that we have established.
Other places would be NIST. I believe that it’s 161 that is the current pending standard for
protecting supply chain security. There are several really good reports that the Defense Science
Board and other organizations have conducted in the past within the federal government space.
There are plenty of materials out there, a lot of discussion about challenges.
But I think the only place where you really find solutions, or at least one of the only places that I
have seen is in the TTF, embedded in the standard as a set of practices that are very practical to
implement.
Gardner: Sally, the same question to you. Where can people go to get involved? What should
they perhaps do to get started?
Long: I'd reiterate what Andras said. I'd also point them toward the accreditation website, which
is www.opengroup.org/accreditation/o-ttps. And on that accreditation site you can see the policy,
standard and supporting docs. We publicize our assessment procedures so you have a good idea
of what the assessment process will entail.
The program is based on evidence of conformance as well as a warranty from the applicant. So
the assessment procedures being public will allow any organizations thinking about getting
accredited to know exactly what they need to do.
As always, we would appreciate any new members, because we'll be evolving the standard and
the accreditation program, and it is done by consensus. So if you want a say in that, whether our
standard needs to be stronger, weaker, broader, etc., join the forum and help us evolve it.
Impact on business
Gardner: Dan Reddy, when we think about managing these issues, often it falls on the
shoulders of IT and their security apparatus, the Chief Information Security Officer perhaps. But
it seems that the impact on business is growing. So should other people in the enterprise be
thinking about this? I am thinking about procurement or the governance risk and compliance
folks. Who else should be involved other than IT in their security apparatus in mitigating the
risks as far as IT supply chain activity?

12. Page 12
Reddy: You're right that the old model of everything falls on IT is expanding, and now you see
issues of enterprise risk and supply chain risk making it up to the boards of directors, who are
asking tough questions. That's one reason why boards look at cyber insurance as a way to
mitigate some of the risk that they can't control.
They're asking tough questions all the way around, and I think acquisition people do need to
understand what are the right questions to ask of technology providers.
To me, this comes back to scalability. This one-off approach of everyone asking questions of
each of their vendors just isn't going to make it. The advantage that we have here is that we have
a consistent standard, built by consensus, freely available, and it's measurable.
There are a lot of other good documents that talk about supply chain risk and secure engineering,
but you can't get a third-party assessment in a straightforward method, and I think that's going to
be appealing over time.
Gardner: Bob Dix, last word to you. What do you see happening in the area of government
affairs and public policy around these issues? What should we hope for or expect from different
governments in creating an atmosphere that improves risk across supply chain?
Dix: A couple things have to happen, Dana. First, we have got to quit blaming victims when we
have breaches and compromises and start looking at solutions. The government has a tendency in
the United States and in other countries around the world, to look at legislating and trying to pass
regulatory measures that impose requirements on industry without a full understanding of what
industry is already doing.
In this particular example, the government has had a tendency to take an approach that excludes
vendors from being able to participate in federal procurement activities based on a risk level that
they determine.
The really great thing about the work of the OTTF and the standard that's being produced is it
allows a different way to look at it and instead look at those that are accredited as having met the
standard and being able to provide a higher assurance level of authenticity and security around
the products and services that they deliver. I think that's a much more productive approach.
Working together
And from a standpoint of public policy, this example on the great work that's being done by
industry and government working together globally to be able to deliver the standard provides
the government a basis by which they can think about it a little differently.
Instead of just focusing on who they want to exclude, let's look at who actually is delivering the
value and meeting the requirements to be a trusted provider. That's a different approach and it's
one that we are very proud of in terms of the work of The Open Group and we will continue to
work that going forward.

13. Page 13
Gardner: Excellent. I'm afraid we will have to leave it there. We've been exploring ways to
address supply chain risk in the information technology sector marketplace, and we've seen how
The Open Group Trusted Technology Forum standards and accreditation activities are enhancing
the security of global supply chain and improving the integrity of openly available IT products
and components. And we have also learned how the age-old practice of insurance is coming to
bear on the problem of IT supply chain risk.
Attend The Open Group Baltimore 2015
July 20-23, 2015
Register Here
This special BriefingsDirect Thought Leadership Panel Discussion comes to you in conjunction
with The Open Group's upcoming conference on July 20, 2015 in Baltimore. It's not too late to
register on The Open Group's website or to follow the proceedings online and via Twitter and
other social media during the week of the presentation.
So a big thank you to our guests. We've been joined today by Sally Long, Director of The Open
Group Trusted Technology Forum. Thanks so much, Sally.
Long: Thank you, Dana.
Gardner: And a big thank you to Andras Szakal, Vice President and Chief Technology Officer
for IBM U.S. Federal and Chairman of The Open Group Trusted Technology Forum. Thank you,
Andras.
Szakal: Thank you very much for having us and come join the TTF. We can use all the help we
can get.
Gardner: Great. A big thank you too to Bob Dix, Vice President of Global Government Affairs
& Public Policy for Juniper Networks and a member of The Open Group Trusted
Technology Forum. Thanks, Bob.
Dix: Appreciate the invitation. I look forward to joining you again.
Gardner: And lastly, thank you to Dan Reddy, Supply Chain Assurance Specialist, college
instructor and Lead of The Open Group Trusted Technology Forum Global Outreach and
Standards Harmonization Work Group. I appreciate your input, Dan.
Reddy: Glad to be here.
Gardner: And lastly, a big thank you to our audience for joining us at the special Open Group
sponsored Thought Leadership Panel Discussion.

14. Page 14
I'm Dana Gardner, Principal Analyst at Interarbor Solutions, your host and moderator for these
Open Group discussions associated with the Baltimore Conference. Thanks again for listening,
and come back next time.
Listen to the podcast. Find it on iTunes. Get the mobile app for iOS or Android.
Sponsor: The Open Group
Transcript of a Briefings Direct discussion on ways to address supply chain risk in the
information technology sector marketplace. Copyright The Open Group and Interarbor
Solutions, LLC, 2005-2015. All rights reserved.
You may also be interested in:
• Enterprise Architecture Leader John Zachman on Understanding and Leveraging
Synergies Among the Major EA Frameworks
• Cybersecurity standards: The Open Group explores security and safer supply chains
• Explore synergies among major Enterprise Architecture frameworks with The Open
Group
• Health Data Deluge Requires Secure Information Flow Via Standards, Says the Open
Group's New Healthcare Director
• The Open Group Amsterdam Conference Panel Delves into How to Best Gain Business
Value from Open Platform 3.0
• Healthcare Among Thorniest and Yet Most Opportunistic Use Cases for Boundaryless
Information Flow Improvement
• Gaining Dependability Across All Business Activities Requires Standard of Standards to
Tame Dynamic Complexity, Says The Open Group CEO
• Big Data success depends on better risk management practices like FAIR, say conference
panelists
• Improving signal-to-noise in risk management
• CSC and HP team up to define the new state needed for comprehensive enterprise
cybersecurity