23 Apr 2021

A CISO’s Guide to Third-Party and Supply Chain Security Management

Guest blog: Mark Brown, Global Managing Director, Cybersecurity & Information Resilience at BSI Group as part of our #Cyber2021 week.

In today’s ever increasing hyper connected world, an organisation needs to recognise that they cannot wholly control all aspects of cybersecurity. The breaking down of perimeters is real and the ongoing COVID-19 pandemic has accelerated the transition to a hyper-connected technology environment. In this new world, it is essential that organisations recognise the need to implement and sustain a highly effective third-party and supply chain security programs which consider:

When and how to implement compensating internal controls when your suppliers don't have or won't reveal their own

How to collaborate with suppliers to ensure success in the remediation process for any cyber exposures identified
Creating KPIs to help manage, improve the process and demonstrate achievements

The Situation

Your organization’s attack surface is growing continuously and as organisations outsource large portions of IT systems and business processes to third parties, they are extending the attack surface of the third-party organisation to their own. And that is only for the activities that are known about, as in reality, there are probably people in organisations connecting with outside providers all the time without informing the CIO and CISO with the result that the holistic attack surface is impossible to articulate and map.

As data is shared throughout the supply chain with third parties, organisations need to stay informed about the supply chain organisational security as much as their own. Indeed, managing the security of third parties across the supply chain is arguably even more important for the following reasons:

Increase in cloud apps - The average organization is estimated to have increased its usage of cloud services by 15% from last year, whilst the amount of sensitive data shared on the cloud is estimated to increase by 50% each year. Indeed, the pace of change indicates that by 2030, it is likely that almost 90% of technology spend will be outside of the IT organization.

Remote working - Through necessity during the COVID pandemic, many companies that have shifted to working from home and have subsequently faced increased cybersecurity challenges, including technology and human risks. The same risks therefore have to be assumed throughout the supply chain and for their third parties.
Third-party data breaches - It is now commonplace for an organization to experience a data breach caused by third parties within their supply chain. The consequences of such breaches can be disastrous and can include lost consumer confidence and loyalty, as well as costly financial penalties and operating confidence.
New regulations - Data privacy regulations such as GDPR, CCPA and the NY SHIELD Act require companies to ensure that customer data remains private and secure. A breach through a third party within the supply chain could result in significant financial penalties for the organization to which it is connected, reinforcing the old adage that whilst you may outsource the responsibility you cannot outsource the accountability.

It is therefore evident that having a comprehensive third-party and supply chain cybersecurity process is crucial. However, the mechanisms to address this are not an activity with which an organisation can be 100% confident. Most organizations currently focus their supply chain security responses on the use of two primary tools to assess their third parties’ security: Security questionnaires and security ratings services (SRSes). However, each method can be problematic on its own.

The Problems with Questionnaires

Questionnaires lack context, containing hundreds of questions that don’t relate to the services provided.
Questionnaire processes cannot scale as they are time-consuming to send, complete and review and inhibit business agility.

Questionnaires are only good for a limited time and responses are likely to be valid only at the time of response. A third-party may be fully secure one month and breached the next.

The problem with SRSes

SRSes provide a limited view of cyber posture. While they can do a good job of assessing the exterior attack surface of third parties, SRSes cannot make sure that a third party complies with internal security policies and practices.

Essentially, using an SRS is looking at the tip of the iceberg: An organization cannot see the entire picture of cyber posture with just an exterior scan.

Building your Third Party & Supply Chain Security Program

Automation of your supply chain and third-party security program is the key for a comprehensive third-party and supply chain cybersecurity program providing the ability to rapidly scale while considering the following:

Context of the supply chain relationship
Visibility, combining an external cyber posture scan with policy-based questionnaire responses and continuous monitoring
Engagement with supply chain organisations to educate them on the purpose of your program and the benefit gained from active participation – it has to be a two-way relationship
Collaboration - set realistic deadlines and provide a simple method for communication.

Organizations seeking to upgrade their third-party security program should therefore focus on:

Identifying stakeholders involved in managing third parties and supply chains
Defining cybersecurity risk tiers for the provider portfolio

Define the standard of care for each tier
Focus on providers that don’t adhere and develop a response plan with the stakeholder managing that supply relationship.