Cybersecurity is now listed as one of the top priorities globally, according to the latest Annual Global CEO Survey by PwC, sitting only behind the pandemic in terms of extreme concerns. So cybersecurity risk management strategy should no longer be seen as a concern solely for the CTO and IT Director; it needs to be on the agenda with every supply chain and technical director.
Data has the potential to transform risk management and resilience. The right data, analysis and reporting tools can help establish where future risk is more likely to occur and where it isn’t, enabling resources to focus on areas where the greatest value is at stake. Using these metrics can also help to avoid emotional bias in decision-making: the risks that we assume are greater are not always those that require the closest monitoring.
If a component or technique can be shown to be more at risk of failure, it may not make sense to inspect or audit in the same, schedule-driven way. Equally, more efficient methods can be devised for lower-risk areas, freeing up resources to focus on and assure the higher-risk activities. An experienced digital assurance partner will be able to offer consultancy on what data to monitor and how to analyze and act on it.
The opportunity offered by digital transformation is significant, but experience tells us that implementation can be challenging and, if approached in a piecemeal way, it is unlikely to deliver the right impact. A 2020 study revealed that of the digital upgrades put in place at the start of the pandemic, 59% required short-term fixes to solve issues that arose from rushed deployment. This might have been avoided had assurance and risk mitigation been better integrated into the change management process.
A common mistake is to take a tech-driven approach, deploying technology for technology’s sake. Critically, the starting point for organizations seeking to digitize their operations and risk assurance programs must be the problems that they want to solve, not the technology or data source they feel is missing. This requires a cohesive digital assurance strategy that includes the right blend of people, process and technology.
Growing digitization and data flows increase the potential vulnerabilities that malicious threat actors might exploit. Suppliers are a vital source of data for any company wishing to obtain a complete picture of its operations and quality assurance, but this digital supply chain also needs cybersecurity assurance. Organizations need to be aware not just of their own cybersecurity risk management strategy but of the potential of cyber-threats arising when assessing the supply chain.
"A common mistake is to take a tech-driven approach, deploying technology for technology's sake"
In the last few years, we have seen a shift in the cyber-threat landscape with ransomware, doubling in frequency to count for 10% of all breaches and increasingly being targeted at supply chains through sleeper ransomware. These attacks not only gain privileges on the host network but also see how the whole ecosystem can be impacted. The global nature of supply chains increases the potential impact of these attacks, increasing the importance of risk assessment in cybersecurity.
In this environment, traditional audits and an annual cybersecurity risk assessment are no longer adequate. They only provide a snapshot of systems at one moment in time and do not consider new vulnerabilities or changes to the system required in the interim.
One solution to both of these issues is continuous controls monitoring. This allows organizations to track, in real-time, the data needed for a cybersecurity risk assessment, including that obtained from suppliers. Threat intelligence platforms and dashboards can facilitate a continuous and proactive monitoring approach.
A collaborative approach with suppliers and specialists can help an organization make great strides in developing a smarter approach to risk assurance and establishing the appropriate information assurance in cybersecurity.
The requirement for certification against global management system standards, such as ISO 27001, and the right to audit and assess IT security is part of many contractual agreements. The National Institute of Standards and Technology (NIST) Cybersecurity Framework is also gaining ground as a global standard that considers the need to look at the controls of suppliers. This provides a mutual advantage to both parties, with procurers helping to educate and upskill suppliers, increasing competency and resilience throughout the chain.
All of this points towards the need to integrate cyber-resilience into digital risk assurance programs in a way that is tailored to the business, addressing the threats you are aware of and taking account of the ones that you aren’t. Continuous and collaborative monitoring of operational data and information security, vulnerabilities and threats can mitigate risk better, drive efficiency and facilitate more informed decision-making.