Building a Supply Chain Risk Management Program

Most organizations depend on numerous third-party vendors to help them carry out their day-to-day business operations. From technology infrastructure to payroll processing, external firms are embedded into almost every aspect of businesses. Relying on these specialists gives organizations access to expertise that they may lack internally and delivers economies of scale that many companies could never achieve on their own. However, integrating diverse firms into an organization’s operations also introduces potential risk that must be managed.

This isn’t a new risk. Many data breaches over the past decade have demonstrated the potential impact of a cybersecurity failure at a single supplier. In many cases, attackers compromised a seemingly innocuous part of a business to work their way into systems that handled more valuable workloads and data. In recent years, highly disruptive supply chain-based incidents have occurred after technology provided by third-party vendors was compromised.

Addressing these risks requires a thoughtful and comprehensive approach to supply chain risk management (SCRM). Let’s look at six things every organization should be doing right now to protect the security of its supply chain.

SCRM should not exist in isolation. Organizations with mature ERM programs should integrate SCRM monitoring and reporting with their existing risk management efforts to enable consolidated risk analysis, prioritization and treatment efforts.

You can only manage the risks that you know about. Organizations should develop a list of all partners contributing to their supply chains and prioritize those vendors based on the likelihood and impact of potential risks.

Supply chain risk management depends on receiving timely information from vendors about their own security controls. Ensure that contract language includes your right to receive that information and to subject the vendor to third-party audits and assessments.

Information management is at the core of SCRM. Organizations with many vendor relationships should develop standardized processes for requesting, reviewing and updating vendor assessments. Using a standardized survey instrument, such as those available from Shared Assessments, can go a long way toward this goal. However, organizations should also consider adopting management platforms that track and monitor the completion of these assessments to help manage the paperwork.

Vendors often require access to an organization’s systems to carry out their work. Take the time to establish policies and procedures that apply strong multifactor authentication to this access, limit vendor access using the principle of least privilege and revoke access immediately when an engagement ends.

Many SCRM efforts justifiably focus on protecting the confidentiality of sensitive information. Remember that the integrity and availability of information and systems are also cybersecurity goals. As vendors take on increasingly important roles in a firm’s day-to-day operations, ensuring the integrity and availability of their services becomes a crucial business concern.

Integrating specialized vendor solutions into business operations can bring valuable benefits to organizations, but it also exposes them to new risks. That doesn’t need to be a barrier to adopting new solutions, but it does require formal risk management practices.

Story by Walt Powell, an accomplished cybersecurity expert and executive coach who specializes in providing executive guidance around risk, governance, compliance and IT security strategies. He is the executive security strategist at CDW and prior to that served as a senior security adviser at Optiv and a virtual CISO at Left Brain Security. Through these roles, he has had the opportunity to learn from and contribute to hundreds of CISOs and their programs. Powell holds dozens of professional certifications including CISSP, CISM, Carnegie Mellon – Heinz CISO, and the Stanford Advanced Cybersecurity Certificate, along with countless technical and presales certifications from top security vendors. Powell is also an accomplished musician and father who loves to spend time with his kids.