Among the long list of priorities for cybersecurity leaders, potential blind spots in the digital supply chain are becoming increasingly important. Enterprises are beginning to understand their own boundaries, but the steps to improve third-party security are much less clear. So how can a CISO effectively assure his chain partners of supply as he tries to tackle this new frontier? And what does that mean for the enterprise security landscape?
next frontier
Security is never truly “solved,” but modern CISOs and their teams recognize the need to put necessary procedures in place or get a firm grip on immediate (first-party) security. It is no exaggeration to say that there are Or to understand the steps an organization should take to understand the risks.
But there is still work to be done when it comes to supply chain security, which includes not only third parties, but also fourth and potentially even lower parties in the supply chain. In ClubCISO’s latest annual Security Maturity Report, 29% of responding organizational member groups cite supply chains as the top barrier to their security goals, making supply chains a household name for security leaders around the world. It ranks fourth after constant factors such as staffing, budgets, and rapid business change. globe.
We need to recognize that supply chains come in many forms. In the digital ecosystem, these may also include potential suppliers of services, organizations to which enterprises outsource certain business functions, and vendors who provide the fabric (software providers) that run their businesses. I have. On a related note, a ClubCISO report found that supply chain vulnerabilities accounted for 22% of high-profile cyber incidents in the 12 months to 2022. Depending on whether the vulnerability hits a vendor or a supplier, the impact on the affected business will be different.
For example, third-party service providers work closely with their clients and often hold potentially sensitive internal information, so in this case, companies may consider this an incident to respond to. Essential. On the other hand, if a software provider were to have a security incident, companies would have relatively few guarantees.
The increased complexity, variables, and entry points associated with these supply chains are the main reasons why Zero Trust strategies are so prevalent in the security space. This harder-line approach reduces the risk of business-impacting supply chain breaches by making security within the system perimeter more robust, but it doesn’t completely solve the problem. This is because Zero Trust authorization has no effect at all if the authorizing third party has already been compromised.
Instead, organizations should evaluate third-party vendors (where possible) and suppliers to ensure adequate security that does not jeopardize system integrity.
Rob Robinson is Head of Telstra Purple in EMEA.
How do you rate your supply chain partners?
The practice of auditing third-party partners is still in its infancy, despite the growing awareness that there are many dangerous blind spots throughout the supply chain. According to the latest UK government data, only 13% of companies consider the risks posed by their direct suppliers, and even less when it comes to their broader supply chains (7%). Because of this, there is no standardization regarding the correct approach. How do you audit your vendors? How regularly? How do you approach the hundreds of suppliers already in your supply chain?
There are some challenges that need to be addressed. Of course, qualifying new and existing suppliers from the start can be daunting, so securing buy-in in terms of both investment and cooperation from stakeholders and suppliers is important. Education may be required here to address the lack of understanding of the cybersecurity risks of inadequate supply chains. Other technical challenges include limited visibility across the supply chain and inadequate tools and knowledge to accurately audit a supplier’s level of security.
So how should companies deal with this? The first key principle is that security professionals should be involved in certifying new vendors from the beginning, but this is usually not the case. When auditing vendor security, you need to focus on the value of information available to third parties, not just the sheer volume of information. Identify your “best jewels” and audit them top-down from there. Once you have established your approach to supply chain auditing, start by applying it to new supplier relationships. Once the approach has been refined and works well, apply it to existing suppliers, review contracts, and support suppliers as needed.
Overall picture
Despite the challenges and effort involved, security teams at large organizations are embracing vendor security audits not only as a benefit to their supply chain security, but as an overall corporate social responsibility. need to start. CISOs need to move away from viewing vendor audits as a chore and look at the bigger picture. Larger companies validating smaller vendors will drive growth and increase the marketability of vendors elsewhere. This advantage for vendors also provides more incentives for vendors to participate in such rigorous security assessments.
Ultimately, this will have a significant impact on growth and support the “digital ecosystem” model that most industries aspire to. As more companies move to a cloud-first strategy, integrating and partnering with more companies and vendors to better serve their customers and scale operations faster, this is the direction security professionals should go. is. Larger companies that adopt this approach early will not only protect themselves from one of the leading sources of cyber incidents, but will also become more valuable partners to smaller vendors and ultimately will support and improve cyber security across enterprises and industries.
We’ve featured the best business VPNs.