This week kicks off the 6th annual National Supply Chain Integrity Month, an initiative started by CISA and other government agencies to highlight the importance of securing our nation’s most critical systems. This year’s theme, “Supply Chain Risk Management (SCRM) – The Recipe for Resilience,” is meant to encourage all stakeholders to apply a comprehensive approach in their efforts to strengthen cyber defenses.
SecurityScorecard supports this campaign and is an active partner in driving resilience in supply chains globally. Earlier this year, during the World Economic Forum’s (WEF) Annual Meeting in Davos, we released a report on cyber resilience and critical infrastructure. We found that despite a decade or more of increased focus on cybersecurity in boardrooms, legislatures, and the media, cyber resilience is getting worse, not better. Increasing cyberattacks and highly publicized data breaches have undermined the public’s trust in the resilience of our societies, prompting business leaders and lawmakers worldwide to seek solutions for a mounting trust deficit. This is a stark reminder of why CISA’s focus on supply chains is important.
The focus on supply chains and cyber resilience
According to the WEF’s most recent Annual Cyber report, 90% of business and cyber leaders are concerned about the cyber resilience of third parties. And considering 54% of organizations report experiencing a breach through a third party, these concerns are justified.
Governments globally are equally concerned about supply chain risks. The SolarWinds attack catalyzed government interest in supply chain risk, and the more recent 3CX supply chain attack underscores how serious and how varied risks are. With the Biden Administration’s recent release of its National Cybersecurity Strategy, multiple sectoral risk management agencies have already begun promulgating new requirements to measure, report, and manage third-party risk. In Europe, the evolving Cybersecurity Resilience Act will place new requirements on providers to document product vulnerabilities. And in France, a new cyberscore law will require Internet-facing platform companies to disclose “report cards” on cyber resiliency based on third-party audits of systems and processes.
For organizations of all sizes and in all industries to gain trust and build cyber resilience, they need a simple way to measure and quantify the cyber risk of any organization in the world, including partners, contractors, third- and fourth-party vendors in their supply chains. With this insight, organizations can identify cyber risks posed by all suppliers and make informed decisions to help their business partners strengthen their own cyber defenses.
Determine your third-party risk management program’s maturity
A useful exercise for any organization is to conduct an unbiased view of the maturity of your third-party program. SecurityScorecard has developed the following baseline quiz that we’d like to highlight for organizations that are just beginning their journey:
- Does your organization have fully built-out and updated TPRM policies and procedures?
- Does your TPRM program have a dedicated person to manage vendors?
- Are vendor questionnaires sent out and tracked through a platform, not spreadsheets?
No organization’s third-party risk management (TPRM) program is the same; however, most are at a level where they are moderately managing vendor risk. The graphic below seeks to show the overall TPRM maturity curve. As we begin Supply Chain Integrity Month, let’s start with the focus on fundamentals. Whether your TPRM program is non-existent or mature, there’s always more that your organization can do to mitigate third-party risk.
Source: Expand Your Vendor Intelligence to Identify Active Threats, SecurityScorecard
Organizations that are low on the maturity curve should begin the process of building a more robust TPRM posture by taking the following steps:
- Identify business goals and objectives of managing third-party vendors to create a more formal TPRM program.
- Develop or reevaluate policies and procedures based on best practices.
- Choose a process or security assessment platform for sending and receiving questionnaire responses that help you assess risk in your vendors and partners.
- Understand how and what to report to business leaders to show value and maintain the forward momentum of the TPRM program.
Harness tools to boost your supply chain cyber resilience
As your organization matures in its approach to managing supply chain risk, leveraging automation and continuous monitoring will become vital to measuring and reporting on your risk posture internally and externally. If you are interested in a progressive process for building and enhancing a TPRM program, SecurityScorecard has built a detailed playbook at every phase of the maturity curve that you can access here.
Throughout this month, we will try to share practical observations aligned with the weekly focus areas identified by CISA. Next week we’ll dig into resources to help small and medium-sized businesses. In the following weeks, we will highlight more best practices for building resilient programs to manage supply chain risk and highlight some specific supply chain attack vectors from our global client base. SecurityScorecard believes public policy has and should be a major driver of overall cyber resilience. With that in mind, in the coming weeks, we’ll also focus on policy outcomes and ideas to advance our collective posture.
No matter where your organization is in the process of managing vendor risk, you can’t let your guard down.