Supply chains pose a significant but often invisible risk to organizations across all sectors, experts warned. CISOs need to work both with suppliers and partners, and other business departments, to identify and minimize those risks.
According to a panel of CISOs and CIOs at Infosecurity Europe, managing supply chain risk means having a view of myriad suppliers, but also understanding how critical they are to the organization.
Then, CISOs can assess the security risks and look at measures to reduce them. This can include security questionnaires, compliance with security standards and the right to audit. However, CISOs also need to avoid, in effect, telling partners and suppliers how to run their security.
Addressing supply chain risks also means working with other departments sourcing technology or services. This will include purchasing, finance and legal. According to Regina Bluman, cyber security adviser at law firm Pinsent Masons, contractual clauses will provide organizations with some remedies if there is a security problem, but won’t, of course, prevent security breaches.
Large-scale Challenge
One challenge facing cyber teams is the sheer scale of suppliers used by many organizations. It can help to classify them by their importance and potential risk.
Mahbubul Islam, a CISO in the public sector, has around 700 suppliers. His organization categorizes them and uses that to focus risk mitigation efforts. Supply chain assurance takes time, and it is simply not possible to perform the same depth of checks on all of them.
The situation is similar at the National Trust, where CIO Jon Townsend has tens of thousands of suppliers. Many are sole traders or other small businesses servicing the National Trust’s estate. Others are critical to the business, or need a more detailed risk assessment because they handle sensitive or personal data.
“We have about 24,000 suppliers but some of those will be an individual coming in to put fence posts around the fields. We are less worried about those,” he said. “But we categorize them into tiers and say these are our ‘tier one’ suppliers. It doesn’t matter what business functionality they are providing; you need to understand the business criticality of what they do.”
Checks and Balances
Security teams then need to act, to make sure suppliers are actually keeping to the standards they have agreed to. This can be contractual, through service level agreements, or audits.
“It is going through that security schedule, and making sure that everything they say they do, they actually do, and do some checking,” said Tom Mullen, senior operational and security director at Motorola Solutions.
Boards, too, are increasingly conscious of supply chain risks. They will look to security to manage them and provide the evidence that they have done so. However, cybersecurity teams need to be able to explain supply chain risk to the board in business terms.
“It is beholden to technology and cybersecurity professionals to present their case in a way the board can understand and tell the story around what would happen to the business if it happened to us,” explained Townsend.