Managing Supply Chain Risk

July 1, 2018

When NIST recently updated its Cybersecurity Framework, it added only one new core category: Supply Chain Risk Management (SCRM). Placed within the Framework’s “Identify” function, SCRM encompasses, but typically extends beyond, traditional vendor management approaches. That’s because the supply chain typically extends beyond suppliers to include other external parties, such as integrators and even third-party communications providers.

It is difficult to grasp the full extent of it all, no less manage it. Consider for a moment that NIST broadly defines the cyber supply chain as a “linked set of resources and processes between multiple tiers of developers that begins with the sourcing of products and services and extends through the design, development, manufacturing, processing, handling, and delivery of products and services to the acquirer.” Wow.

Managing the supply chain becomes even more of challenge (although perhaps less of a risk) with the rise of cloud-based services for which most organizations lack any visibility into, understanding of, or control over the development, integration or deployment of the underlying technology.

So, what’s an organization to do? Focus on what’s material by recalling the four pillars of cyber SCRM: security, integrity, resilience and quality. Then, consider NIST’s five-step approach:

First, build up your program. Review whether your organization has adequate (or even minimal) processes in place to account for how supply chain issues can impact fundamental business objectives.
Second, line up your external dependencies in order of importance. As with all of risk management, supply chain issues must be assessed and then prioritized.
Third, write up supplier security requirements. When it comes to procurement, it’s crucial not only to read the fine print but also to write the fine print.
Fourth, follow up with third-party audits. Instead of doing these yourself, look for suppliers that hire qualified, independent experts to conduct periodic assessments as a matter of course.
Fifth, meet up with the most critical providers. Begin to assess with them whether they represent a single point of failure for your organization and, if so, how to mitigate that possibility. You might even extend an invitation for high-risk vendors to participate in your next tabletop exercise.

For motivation, it is good to be reminded that supply chain risk is not theoretical. Less than a year ago, the Department of Homeland Security warned of an advanced persistent threat where the initial victims were “peripheral organizations such as trusted third-party suppliers with less secure networks.” The ultimate targets, however, were government entities and organizations in the energy, nuclear, water, aviation and critical manufacturing sectors. This example may be particularly significant if your organization is a supplier. As the revised Framework makes clear, cyber SCRM addresses not only the cybersecurity effect external parties have on an organization but also the cybersecurity effect an organization has on external parties.

Finally, it is worth noting that mitigating supply chain risks is an ongoing effort. Although there’s no letting up, your organization most certainly can keep up and rise up.

Steven Chabinsky is global chair of the Data, Privacy, and Cyber Security practice at White & Case LLP, an international law firm. He previously served as a member of the President’s Commission on Enhancing National Cybersecurity, the General Counsel and Chief Risk Officer of CrowdStrike, and Deputy Assistant Director of the FBI Cyber Division. He can be reached at chabinsky@whitecase.com.

In this webinar, we review the results of a benchmark study that asked security professionals about their past, present and future outlook on manned guarding. Want to know what your peers are saying about their weekly billed hours? Join us to find out!

Ransomware and the propulsion of the extortion economy has rapidly eclipsed into a national priority. Recently, we observed the catastrophic impact of a widescale ransomware attack impacting gas pipelines and raising national gas prices overnight.

Poll

Comparison Metrics

View Results

Poll Archive

Products

Effective Security Management, 7th Edition

Effective Security Management, 5e, teaches practicing security professionals how to build their careers by mastering the fundamentals of good management. Charles Sennewald brings a time-tested blend of common sense, wisdom, and humor to this bestselling introduction to workplace dynamics.

See More Products

Managing Supply Chain Risk

Recent Articles by Steven Chabinsky

Who's Responsible for Cloud Security?

Clear, Purge & Destroy: When Data Must be Eliminated, Part 2

Clear, Purge & Destroy: When Data Must be Eliminated

Bug Bounty Programs: An Emerging Best Practice

Get our new eMagazine delivered to your inbox every month.

Stay in the know on the latest enterprise risk and security industry trends.

Managing Supply Chain Risk

Recent Articles by Steven Chabinsky

Related Articles

Get our new eMagazine delivered to your inbox every month.

Stay in the know on the latest enterprise risk and security industry trends.