CyberSecurityRethinkingSupplyChainRiskManagement June2015_riskuk_apr15 04/06/2015 18:29 Page 69
Supply Chain Cyber Security Risk: Strengthening Resilience
notional compliance so as to limit the costs of externally imposed remedial work. The result? Confidence in the veracity and completeness of third party assurance returns is low. Also, controls and policies designed for one organisation reflect the threats, risks, risk appetite and capabilities of that company. While similarities may exist, these are unlikely to be exactly the same across the supply chain.
Aspiration and reality There’s a void between aspiration and reality, with many businesses expecting a level of controls and policy compliance from their suppliers that they only aspire to internally but have so far failed to embrace. If exposed at any point, this can lead to reduced trust in the business relationship. Larger organisations within a supply chain often have mature cyber security capabilities and resist changing them to meet external customer requirements. Conversely, the smaller organisations within a supply chain rarely have access to the funding or skills required to effectively address cyber security requirements. A compliance-led approach to cyber security is not enough to manage the threats presented by the rise in highly-capable and determined adversaries. The focus must change to riskinformed resilience, detection and response rather than an exclusive reliance on protection and prevention. Every organisation in the supply chain assesses – and is assessed – by every other organisation. This creates an expensive and distracting industry of rolling security controls assessments with each organisation addressing the same risks in a different manner. Supply chain risk management is increasingly concerned with engagement, collaboration and alignment, focusing on the identification of shared goals and objectives and the use of contracts to incentivise suppliers and reduce divergence in these goals rather than enforce unwanted requirements. In parallel, internal cyber security is moving towards a collaborative, intelligence-driven approach, with a focus on preparation and training to deal with breaches. This is driving the development of information sharing forums within different sectors (already a common practice for many years at the larger end of the financial services sector).
A new, more collaborative and shared approach is needed to manage supply chain cyber risks as opposed to treating the supply chain as an external source of risk. What, then, might such an approach look like? The first step is to identify existing information sharing relationships and invest time, money and trust in developing them. It’s crucial to evaluate the value of such forums to the wider extended ecosystem rather than the value of participation to a specific business. Larger players in the supply chain will have greater visibility and more capability to contribute than the smaller players. A second step is to work towards identifying a definition of common controls or standards which can secure the backing of multiple participants in the supply chain. There are several options already available, with the Council on Cyber Security Critical Security Controls a good contender for larger organisations and the IASME standard for SMEs and Cyber Essentials an alternative for smaller organisations. Where consensus can be reached with suppliers and competitors, the ability to compare like-for-like across the supply chain will be improved. A key move is looking for opportunities to reward supply chain participants for information sharing and good hygiene as a replacement for punishing non-compliance. While a contract should be put in place to safeguard minimum standards, alignment and engagement should be the major priorities.
Sharing of capabilities Finally, those firms and supply chain partners with mature cyber security capabilities – such as Security Operations Centres, incident response teams, security architecture practices, risk analysts and security testing teams – should consider moving beyond information sharing to the sharing of capabilities. Experience has shown that this helps improve coverage, efficiency and response times across the supply chain. By using the Security Operations Centre of an existing supplier to provide services to the wider supply chain, a data breach in the extended enterprise may be detected much earlier. As a result, it’s much less likely that the business continuity plan may have to be invoked due to a supplier failing to deliver part of a process.
“By using the Security Operations Centre of an existing supplier to provide services to the wider supply chain, a data breach in the extended enterprise may be detected much earlier” 69