When it comes to cyber risk, company size doesn't matter

<a href='https://www.freepik.com/photos/computer'>Computer photo created by pressfoto - www.freepik.com</a>

Supply Chain Risk is more pertinent now that digital transformation initiatives are the norm. In a recent Ponemon study, 82% of respondents believe their organization experienced at least one data breach due to digital transformation. At the same time, 55% said with certainty that at least one of the three breaches was caused by a third party. Reporting on SCRM and gaining visibility into the cyber risk across third parties is critical to the security of both small and large organizations, especially in the digital age we live in.

Balancing Quantitative and Qualitative Risk Insights for Supply Chain Reporting

Supply Chain Risk Management (SCRM) has been a “hot” topic in the past five to ten years. The NIST CSF had just come out with categories and subcategories, with a dedicated section for supply chain risk management. At the annual NIST Risk Management conference a few years ago, Ron Ross stood up and said, “Supply Chain is hot”! Everyone laughed, but it was true.

SCRM was top of mind back years ago, as made evident by DFARS 252.204-7012 or NIST SP 800-171 regulation, which came out to address cybersecurity risk in the defense supply chain, but it fell flat. It didn’t deliver the expected results, in part because it perpetuated the idea of checkbox compliance. Thus, the Defense industrial base and Department of Defense leaders went back to the drawing board and came out with the Cybersecurity Maturity Model Certification (CMMC), aiming to increase cyber maturity rather than a checkbox approach.

SCRM is also in the limelight with other industries such as energy and utilities, as made evident by supply chain requirements such as NERC CIP-013. The question of how to report on these initiatives remains. We’ve found that striking a balance between quantitative and qualitative information when reporting to management is the most powerful way to tell a story around cyber risk.

The goal of balancing quantitative and qualitative elements is to tell a story. Risk stories cover where we have been, what has happened, how we reacted, and how our learnings from those experiences inform where we are going. At larger enterprises, getting the visibility necessary to have these discussions is difficult, in part because data across thousands of environments is continuously changing, requiring new advances in artificial intelligence (AI) to tame. In smaller organizations, having enough resources and data to move past checkbox compliance is often the challenge. In both cases, the cyber risk is enormous, especially when considering the supply chain - regardless of company size.

Use Real-Time Risk Management to Build Cyber Resilience

Only when organizations achieve real-time risk management can the complexity of exposures within the supply chain be understood. There is a growing awareness, especially in light of the SolarWinds attack, that the supply chain is one of the most important areas to secure due to the potential for vulnerabilities. Implementing tools such as a risk register and automated assessment can assist with getting ahead of these vulnerabilities and aggregating the data required to manage risk. In parallel, deciding what metrics to drive around SCRM is essential.

When there are gaps, quickly identifying them proactively, not reactively, and figuring out how to address them must be prioritized by management. Getting management buy-in takes seamless communication, which is why metrics and storytelling are valuable. There is plenty of data, but there hasn’t been a way to pull it in, tame it, and make it digestible. Until CISOs and teams achieve this supported by automated, real-time risk management, it will be difficult to make strategic, forward-looking decisions with cyber in mind.

The SolarWinds Attack Won’t Be the Last Major Software Supply Chain Event

Large organizations are just starting to get their arms around SaaS supply chain risk. There are a lot of applications in use today where the risk has not fully been accounted for. Security teams can only do so many application and software checks, but we need a view into cyber risk once we generate that data.

We know there will be another SolarWinds. The question is, can organizations understand their risk exposures and can they make decisions to improve resiliency? This approach allows CISOs and teams to game out scenarios. We can evaluate the risk of a Zero Day cascading through the supply chain; it just has to be communicated in a way that executives understand - which is why that balance of qualitative and quantitative data is critical to executive-level reporting. Organizations are looking to measure the risk exposure per application, how vulnerable the supply chain is, and the extent to which we can defend and protect ourselves.

We can't blame the SolarWinds attack on lack of proper risk management; this was an advanced attack that could happen to anyone. Nonetheless, the future of SCRM requires more data, more real-time analysis, more information sharing, and a better risk reporting methodology that sits upon such data. This will help organizations of all sizes avoid the pitfalls of today so they are more prepared for the advanced attacks of tomorrow.

Padraic O'Reilly is Chief Product Officer and Co-Founder at CyberSaint, where he leads product innovation and development. His experience as a Harvard-trained economist, IT risk and compliance consultant, and his rapid exposure to Cybersecurity led him to seek out CISOs, CIOs, and Boards of Directors at global organizations to pursue the answer to the question - how can cyber be managed, measured, and understood like any other business function? Padraic’s current activity spans working directly with organizations from public agencies to private companies across the globe to understand how to measure cyber risk, especially amidst the global pandemic which is fueling massive digital transformation projects around the world. Padraic was a key member of the group providing feedback on the NIST Cybersecurity Framework during its development and is an expert in regulatory standards both in security and privacy, including the NIST Risk Management and NIST Privacy Frameworks. An expert in Artificial Intelligence (AI) and economic modeling, Padraic works with members of the Global 500 to research and deploy risk quantification, risk intelligence gathering, and risk reporting and communication strategies. Padraic also holds a patent entitled, “System and Method for Monitoring And Grading A Cybersecurity Framework” which has inspired much of his work on cohesive IT and cyber risk management approaches.

ON DEMAND: In this webinar, Regina Lester, Vice President of Security & Safety Operations at Toledo Zoo, will share her insights on implementing security technologies in the entertainment sector and the challenges all organizations face — large and small — when it comes to balancing budget and security.