Supply Chain Risk is more pertinent now that digital transformation initiatives are the norm. In a recent Ponemon study, 82% of respondents believe their organization experienced at least one data breach due to digital transformation. At the same time, 55% said with certainty that at least one of the three breaches was caused by a third party. Reporting on SCRM and gaining visibility into the cyber risk across third parties is critical to the security of both small and large organizations, especially in the digital age we live in.
Balancing Quantitative and Qualitative Risk Insights for Supply Chain Reporting
Supply Chain Risk Management (SCRM) has been a “hot” topic in the past five to ten years. The NIST CSF had just come out with categories and subcategories, with a dedicated section for supply chain risk management. At the annual NIST Risk Management conference a few years ago, Ron Ross stood up and said, “Supply Chain is hot”! Everyone laughed, but it was true.
SCRM was top of mind back years ago, as made evident by DFARS 252.204-7012 or NIST SP 800-171 regulation, which came out to address cybersecurity risk in the defense supply chain, but it fell flat. It didn’t deliver the expected results, in part because it perpetuated the idea of checkbox compliance. Thus, the Defense industrial base and Department of Defense leaders went back to the drawing board and came out with the Cybersecurity Maturity Model Certification (CMMC), aiming to increase cyber maturity rather than a checkbox approach.
SCRM is also in the limelight with other industries such as energy and utilities, as made evident by supply chain requirements such as NERC CIP-013. The question of how to report on these initiatives remains. We’ve found that striking a balance between quantitative and qualitative information when reporting to management is the most powerful way to tell a story around cyber risk.
The goal of balancing quantitative and qualitative elements is to tell a story. Risk stories cover where we have been, what has happened, how we reacted, and how our learnings from those experiences inform where we are going. At larger enterprises, getting the visibility necessary to have these discussions is difficult, in part because data across thousands of environments is continuously changing, requiring new advances in artificial intelligence (AI) to tame. In smaller organizations, having enough resources and data to move past checkbox compliance is often the challenge. In both cases, the cyber risk is enormous, especially when considering the supply chain - regardless of company size.
Use Real-Time Risk Management to Build Cyber Resilience
Only when organizations achieve real-time risk management can the complexity of exposures within the supply chain be understood. There is a growing awareness, especially in light of the SolarWinds attack, that the supply chain is one of the most important areas to secure due to the potential for vulnerabilities. Implementing tools such as a risk register and automated assessment can assist with getting ahead of these vulnerabilities and aggregating the data required to manage risk. In parallel, deciding what metrics to drive around SCRM is essential.
When there are gaps, quickly identifying them proactively, not reactively, and figuring out how to address them must be prioritized by management. Getting management buy-in takes seamless communication, which is why metrics and storytelling are valuable. There is plenty of data, but there hasn’t been a way to pull it in, tame it, and make it digestible. Until CISOs and teams achieve this supported by automated, real-time risk management, it will be difficult to make strategic, forward-looking decisions with cyber in mind.
The SolarWinds Attack Won’t Be the Last Major Software Supply Chain Event
Large organizations are just starting to get their arms around SaaS supply chain risk. There are a lot of applications in use today where the risk has not fully been accounted for. Security teams can only do so many application and software checks, but we need a view into cyber risk once we generate that data.
We know there will be another SolarWinds. The question is, can organizations understand their risk exposures and can they make decisions to improve resiliency? This approach allows CISOs and teams to game out scenarios. We can evaluate the risk of a Zero Day cascading through the supply chain; it just has to be communicated in a way that executives understand - which is why that balance of qualitative and quantitative data is critical to executive-level reporting. Organizations are looking to measure the risk exposure per application, how vulnerable the supply chain is, and the extent to which we can defend and protect ourselves.
We can't blame the SolarWinds attack on lack of proper risk management; this was an advanced attack that could happen to anyone. Nonetheless, the future of SCRM requires more data, more real-time analysis, more information sharing, and a better risk reporting methodology that sits upon such data. This will help organizations of all sizes avoid the pitfalls of today so they are more prepared for the advanced attacks of tomorrow.