Today’s interconnected business landscape has expanded operations to a global level, providing companies access to markets that were inaccessible 20 years ago. As such, companies are able to provide their products and services throughout much of the world. However, as operations have expanded, so have supply chains.
Today, it is common for products to travel the world during their assembly, with certain parts made in Asia, while other elements are assembled in various other continents, thousands of miles away. While this expanded supply chain can decrease cost and increase corporate margins, it also increases cyber risk.
As noted in ISACA’s recent white paper on supply chain resilience and business continuity, a company’s supply chain poses one of the greatest cybersecurity risks to daily operations, but a holistic approach, with proper management mechanisms in place, can increase cyber-maturity and reduce organizational risk.
In order to understand how to apply cyber-maturity to daily operations and supply chains, organizations must first have a comprehensive understanding of their global footprint. Gaining understanding of multi-national operations can prove rather difficult depending on the size and scope of an organization.
For example, IBM, one of the largest and oldest companies on earth, currently states on its website that it is an international organization with over 350,000 employees around the world. Tracing, identifying, and organizing an enterprise of that size is a herculean task, no matter who leads the charge.
The process continues once the organizational structure is mapped, identifying the vast supply chain, which requires even more effort and diligence. Charting all of the vendor and third-party relationships can prove exceedingly difficult considering that third party and vendor agreements are, at times, different between each contracted organization, eschewing consistency for business opportunity.
However, applying additional diligence and tenacity in creating a thorough, holistic mapping and understanding of the third party supply chain network of an organization almost always makes the process of increasing cyber-maturity much easier.
Despite the difficulty of supply chain mapping, understanding the interdependencies and reliance of a central organization on the efforts of third parties is paramount to establishing a strong cybersecurity stance. Specifically, many strong, cyber-mature organizations generate effective policies and procedures from a centralized organization.
In many cases, the policy-generating organization takes the form of a strategic level cybersecurity or information security group. These strategic level professionals are able to take the full mapping of the organizational supply chain and analyze the specific relationships to determine risks and vulnerabilities to the organization. In turn, they are able to prioritize and categorize these potential issues and develop methods and procedures to mitigate risks and address vulnerabilities.
Centrally generated and distributed policies also have the greatest potential of adherence across the organization and provide the highest chance of consistent adherence.
These policies, procedures, and requirements, developed by centralized security professionals, take the form of organizational practices and security controls. These practices and controls ensure that, when working with a third-party vendor within the supply chain, certain actions are preformed to reduce the risk to the organization.
Common security controls include requirements that any third-party working with an organization adhere to certain requirements, such as periodic review of their own security posture. In certain instances, regularly scheduled penetration tests and audits are required in order to work with certain organizations, specifically financial institutions.
As these controls and practices are put in place, consistently and holistically, enterprises will notice a stronger posture against any type of attack originating from the supply chain. That is not to say that there is any cure-all for supply chain risk, but rather an increased readiness for a potential incident.
Grappling with cybersecurity maturity is one of the hardest missions that an organization, operating in today’s volatile business world, can undertake. However, despair at the risk these valuable third-party relationships present need not be the default response. Through comprehensive, centralized evaluation or vulnerability and risk, and holistic, consistent addressing of those risks, organizations and companies can increase their cyber-maturity and feel increased confidence operating in today’s interconnected world.