Managing Supply Chain Risk

July 1, 2018

When NIST recently updated its Cybersecurity Framework, it added only one new core category: Supply Chain Risk Management (SCRM). Placed within the Framework’s “Identify” function, SCRM encompasses, but typically extends beyond, traditional vendor management approaches. That’s because the supply chain typically extends beyond suppliers to include other external parties, such as integrators and even third-party communications providers.

It is difficult to grasp the full extent of it all, no less manage it. Consider for a moment that NIST broadly defines the cyber supply chain as a “linked set of resources and processes between multiple tiers of developers that begins with the sourcing of products and services and extends through the design, development, manufacturing, processing, handling, and delivery of products and services to the acquirer.” Wow.

Managing the supply chain becomes even more of challenge (although perhaps less of a risk) with the rise of cloud-based services for which most organizations lack any visibility into, understanding of, or control over the development, integration or deployment of the underlying technology.

So, what’s an organization to do? Focus on what’s material by recalling the four pillars of cyber SCRM: security, integrity, resilience and quality. Then, consider NIST’s five-step approach:

First, build up your program. Review whether your organization has adequate (or even minimal) processes in place to account for how supply chain issues can impact fundamental business objectives.
Second, line up your external dependencies in order of importance. As with all of risk management, supply chain issues must be assessed and then prioritized.
Third, write up supplier security requirements. When it comes to procurement, it’s crucial not only to read the fine print but also to write the fine print.
Fourth, follow up with third-party audits. Instead of doing these yourself, look for suppliers that hire qualified, independent experts to conduct periodic assessments as a matter of course.
Fifth, meet up with the most critical providers. Begin to assess with them whether they represent a single point of failure for your organization and, if so, how to mitigate that possibility. You might even extend an invitation for high-risk vendors to participate in your next tabletop exercise.

For motivation, it is good to be reminded that supply chain risk is not theoretical. Less than a year ago, the Department of Homeland Security warned of an advanced persistent threat where the initial victims were “peripheral organizations such as trusted third-party suppliers with less secure networks.” The ultimate targets, however, were government entities and organizations in the energy, nuclear, water, aviation and critical manufacturing sectors. This example may be particularly significant if your organization is a supplier. As the revised Framework makes clear, cyber SCRM addresses not only the cybersecurity effect external parties have on an organization but also the cybersecurity effect an organization has on external parties.

Finally, it is worth noting that mitigating supply chain risks is an ongoing effort. Although there’s no letting up, your organization most certainly can keep up and rise up.

Steven Chabinsky is global chair of the Data, Privacy, and Cyber Security practice at White & Case LLP, an international law firm. He previously served as a member of the President’s Commission on Enhancing National Cybersecurity, the General Counsel and Chief Risk Officer of CrowdStrike, and Deputy Assistant Director of the FBI Cyber Division. He can be reached at chabinsky@whitecase.com.

Pandemics, Recessions and Disasters: Insider Threats During Troubling Times

ON DEMAND: The insider threat—consisting of scores of different types of crimes and incidents—is a scourge even during the best of times. But the chaos, instability and desperation that characterize crises also catalyze both intentional and unwitting insider attacks. Learn how your workers, contractors, volunteers and partners are exploiting the dislocation caused by today's climate of Coronavirus, unemployment, disinformation and social unrest.

Industrial Cybersecurity: What Every Food & Bev Executive Needs to Know

ON DEMAND: There's a lot at stake when it comes to cybersecurity. Reputation, productivity, quality. Join us to discuss the future of your global security strategy and a path forward with trusted partners Cisco and Rockwell Automation, and turn your Food & Bev security challenges into strategic advantages that drive business value.

Poll

Who has ownership or primary responsibility of video surveillance at your enterprise?

View Results

Poll Archive

Products

Effective Security Management, 7th Edition

Effective Security Management, 5e, teaches practicing security professionals how to build their careers by mastering the fundamentals of good management. Charles Sennewald brings a time-tested blend of common sense, wisdom, and humor to this bestselling introduction to workplace dynamics.

See More Products

Managing Supply Chain Risk

Recent Articles by Steven Chabinsky

Who's Responsible for Cloud Security?

Clear, Purge & Destroy: When Data Must be Eliminated, Part 2

Clear, Purge & Destroy: When Data Must be Eliminated

Bug Bounty Programs: An Emerging Best Practice

The latest news and information

Content written for business-minded executives who manage enterprise risk and security

Managing Supply Chain Risk

Recent Articles by Steven Chabinsky

Related Articles

The latest news and information

Content written for business-minded executives who manage enterprise risk and security