Managing Supply Chain Risk

July 1, 2018

When NIST recently updated its Cybersecurity Framework, it added only one new core category: Supply Chain Risk Management (SCRM). Placed within the Framework’s “Identify” function, SCRM encompasses, but typically extends beyond, traditional vendor management approaches. That’s because the supply chain typically extends beyond suppliers to include other external parties, such as integrators and even third-party communications providers.

It is difficult to grasp the full extent of it all, no less manage it. Consider for a moment that NIST broadly defines the cyber supply chain as a “linked set of resources and processes between multiple tiers of developers that begins with the sourcing of products and services and extends through the design, development, manufacturing, processing, handling, and delivery of products and services to the acquirer.” Wow.

Managing the supply chain becomes even more of challenge (although perhaps less of a risk) with the rise of cloud-based services for which most organizations lack any visibility into, understanding of, or control over the development, integration or deployment of the underlying technology.

So, what’s an organization to do? Focus on what’s material by recalling the four pillars of cyber SCRM: security, integrity, resilience and quality. Then, consider NIST’s five-step approach:

First, build up your program. Review whether your organization has adequate (or even minimal) processes in place to account for how supply chain issues can impact fundamental business objectives.
Second, line up your external dependencies in order of importance. As with all of risk management, supply chain issues must be assessed and then prioritized.
Third, write up supplier security requirements. When it comes to procurement, it’s crucial not only to read the fine print but also to write the fine print.
Fourth, follow up with third-party audits. Instead of doing these yourself, look for suppliers that hire qualified, independent experts to conduct periodic assessments as a matter of course.
Fifth, meet up with the most critical providers. Begin to assess with them whether they represent a single point of failure for your organization and, if so, how to mitigate that possibility. You might even extend an invitation for high-risk vendors to participate in your next tabletop exercise.

For motivation, it is good to be reminded that supply chain risk is not theoretical. Less than a year ago, the Department of Homeland Security warned of an advanced persistent threat where the initial victims were “peripheral organizations such as trusted third-party suppliers with less secure networks.” The ultimate targets, however, were government entities and organizations in the energy, nuclear, water, aviation and critical manufacturing sectors. This example may be particularly significant if your organization is a supplier. As the revised Framework makes clear, cyber SCRM addresses not only the cybersecurity effect external parties have on an organization but also the cybersecurity effect an organization has on external parties.

Finally, it is worth noting that mitigating supply chain risks is an ongoing effort. Although there’s no letting up, your organization most certainly can keep up and rise up.

Steven Chabinsky is global chair of the Data, Privacy, and Cyber Security practice at White & Case LLP, an international law firm. He previously served as a member of the President’s Commission on Enhancing National Cybersecurity, the General Counsel and Chief Risk Officer of CrowdStrike, and Deputy Assistant Director of the FBI Cyber Division. He can be reached at chabinsky@whitecase.com.

You must login or register in order to post a comment.

ON DEMAND: DevSecOps creates an environment of shared responsibility for security, where AppSec and development teams become more collaborative. With the right training and tools, developers can become more hands-on with security and, with that upskilling, stand out among their peers... however, they need the security specialists on-side, factoring them into securing code from the start and championing this mindset across the company.

ON DEMAND: The insider threat—consisting of scores of different types of crimes and incidents—is a scourge even during the best of times. But the chaos, instability and desperation that characterize crises also catalyze both intentional and unwitting insider attacks. Learn how your workers, contractors, volunteers and partners are exploiting the dislocation caused by today's climate of Coronavirus, unemployment, disinformation and social unrest.

Security Magazine

2020 October

This month in Security magazine, we explore how Corning's global security group ensured business continuity and employee safety during the global COVID-19 pandemic. Also, we highlight the global security team at Uber and their recent security programs and initiatives. Industry experts discuss travel safety programs, career hackers, working for terrible bosses, group attribution error and more.

View More Create Account

Managing Supply Chain Risk

Recent Articles by Steven Chabinsky

Who's Responsible for Cloud Security?

Clear, Purge & Destroy: When Data Must be Eliminated, Part 2

Clear, Purge & Destroy: When Data Must be Eliminated

Bug Bounty Programs: An Emerging Best Practice

Security Magazine

2020 October

Managing Supply Chain Risk

Recent Articles by Steven Chabinsky

Related Articles

Report Abusive Comment