Cyber risk is on the rise, fueled by an ever-growing volume of sensitive data moving across interconnected and integrated networks. Nearly every organization is operationally dependent on a robust supply chain and myriad of traditional and non-traditional partners —
including suppliers, vendors and customers —
that often have direct access to business systems and data.
With tens of millions of employees working from home and billions of consumers purchasing goods on their phones from anywhere, protecting mission-critical and other sensitive data within a complex ecosystem of partners has never been more essential. Enacting risk management frameworks that look both inward and outward to monitor and secure relationships with third parties is now a strategic business imperative for chief information security officers (CISOs), chief information officers (CIOs) and other information security leaders. Failing to establish adequate controls to protect partners’ data and their own, leaves companies’ entire networks vulnerable to cyberattacks.
Fortunately, C-suite leaders recognize both the challenge and importance of securing digital supply chains. A sizeable majority (79%) of chief executive officers (CEOs) say protecting their partner ecosystem is just as important as building their own organization’s cyber defenses.
Here are five ways cybersecurity leaders can secure the digital supply chains in which they operate:
1. Align security requirements throughout the process
Whether it is for a supplier, vendor or customer, properly vetting potential partners’ organizational security policies, as well as the security built into their products and services, must be baked into an organization’s contract negotiation process.
Although this framework can provide near-real-time risk visibility, it is too time-consuming and costly for most organizations, particularly as the complexity of the partner ecosystem increases. As a result, IT leaders are transitioning away from a compliance-based strategy to a much more proactive approach that puts continuous monitoring, threat intelligence, and strict identity verification (zero trust) at the heart of their ecosystem security model.
In order to alleviate the burden of the process, some organizations, particularly in regulated industries, are turning instead to security ratings companies. These services supplement point-in-time assessments by providing security risk scores against a set of pre-defined parameters and offering detailed qualitative and quantitative analysis of partner and ecosystem risk. However, be aware, they may not satisfy every requirement.
2. Consider continuous controls monitoring to shift from focusing narrowly on compliance to adopting a more operationally based view of security
A strong risk management framework that looks both inward and outward is key, especially for high-risk industries such as financial services, energy and healthcare. Continuous assessment and monitoring (CAM) takes this a step further, moving security assessments away from point-in-time activities that become obsolete quickly. Leveraging new standards for machine readable assessments, CAM works to provide visibility to operational security challenges without increasing cost or risk.
CAM can expedite vendor cycles through the use of machine-readable assessments, which ultimately enhance risk and control oversight. However, in order to work effectively, CAM requires vendor participation across an organization’s security ecosystem. This model can inspire ecosystem partners to move from a compliance-based approach to a more operational focus that allows for corrective measures in real-time, with or without human intervention.
3. Explore opportunities to leverage automation in supply chain security
IT leaders can alleviate the time and cost of continuously vetting and monitoring their security ecosystem by embracing automation, including the use of artificial intelligence (AI) and machine learning (ML).
AI and ML can be applied to security policies to address shadow IT issues and provide better oversight of third-party Software as a Service (SaaS) products. They can also be used to implement self-service chatbots and automate many aspects of the organization’s third-party risk management processes. Automation enhances an organization’s existing risk management framework and frees up time and resources so skilled security workers can focus on more strategic activities.
In addition, the use of AI-powered digital workers can alleviate many of the low-value, high-cost, manual activities that generally burden the security teams during the assessment process. The ability for these digital team members to quickly access multiple data sources, review artifacts at wire speeds and provide a better experience for internal stakeholders and vendors, are all great reasons to begin the process of integrating this into your third-party security toolbox.
4. Keep a close eye on regulatory requirements as they continue to evolve and focus on supply chain security
As the digital landscape becomes increasingly complex, and partners more intricately linked, cybersecurity regulations will continue to tighten, and there will be more of them. For example, the White House has issued executive orders on the U.S. supply chain, while the European Union’s NIS Directive draws clear lines around how member states, industries, and organizations need to enhance their inward and outward cybersecurity policies, especially in a post-pandemic world. For IT leaders, staying up to date on these policies is critical to protecting sensitive data and ensuring compliance.
5. Take a capacity-building approach by applying security measures to protect your broader ecosystem, in addition to your own environment
Stringent regulatory standards can help minimize the impact of third-party cyber threats, but there are situations where the participants in complex ecosystem structures —
such as cloud providers, SaaS companies and Internet of Things device manufacturers —
may not have clear obligations for establishing adequate controls to protect their partners’ data, leaving the entire network vulnerable to cyberattacks.
In an interconnected business world, larger, more resourceful organizations are realizing they have a responsibility to protect their supplier ecosystem, particularly partners that do not have the same level of resources. This could mean providing a monitoring service across their supply ecosystem and collaborating with partners to defend against identified threats. This is in everyone’s best interest, because if one organization is vulnerable to cyberattacks, that means its partners and other participants in its digital supply chain are as well.
Just as the pandemic revealed how intrinsically linked partners are within the physical supply chain, so too are business leaders waking up to how reliant they are on their digital supply chain partners. Becoming a “digital-first” organization requires sharing data on a near-constant basis throughout a complex and connected ecosystem of partners and suppliers, which creates numerous opportunities for cyberattackers. Today, cybersecurity leaders are not only tasked with securing their own organizations —
they must also encourage their broader ecosystem to be cyber-secure, responsive and aware.