How to Choose the Right Supply Chain Cyber Risk Managed Service

AI isn’t what’s going to be the hot topic of the next year; it’s going to be data breaches in the supply chain and the cost that companies face by not reacting quickly to this emerging threat.

The cyber attack on Change Healthcare, one of the world’s largest health payment processing companies, illustrates this point. Change Healthcare was a clearing house for 15 billion medical claims annually—accounting for nearly 40% of all claims. A cyberattack knocked the company offline, resulting in a backlog of unpaid claims that left doctors’ offices and hospitals with serious cash flow problems—threatening patients’ access to care.

The time for action is now. A supply chain cyber risk managed service is the solution to identify and mitigate these growing threats proactively.

The Current State of Supply Chain Cyber Risk Management

Supply chain or third-party risk management is a process and set of practices organizations use to identify, assess, and mitigate the risks associated with third-party vendors, suppliers, contractors, and other external entities that have access to or impact the organization’s data, systems, and operations. TPRM is crucial because third parties can introduce significant organizational risks, including data breaches, compliance violations, operational disruptions, and reputational damage.

Supply chain risk management covers many risk areas, including cyber, financial, and ESG. Industry research has increasingly indicated that most TPRM professionals may underestimate or underinvest in the cyber pillar of supply chain risk management. 

The cyber blind spot within most TPRM programs is real and driven by these factors:

Increasing size of supply chain dependencies
The proliferation and specialization of software tools, direct marketing to users, and the search for cutting-edge technologies have helped skyrocket the number of vendors that typical organizations depend on. The growth in an organization’s supply chain necessitates growth in the responsibilities of a TPRM program.

Exclusive reliance on single-point-in-time assessments
Typical TPRM programs are built around questionnaires sent to vendors to understand vendor security policies, practices, and controls. These questionnaires can’t capture necessary nuances or maintain visibility of active threats and emerging vulnerabilities. As a result, the evidence provided in questionnaires can quickly become obsolete, and 100% reliance on them can foster a false sense of security.

Limited TPRM resources and capacity
Budgets under stress and staffing shortages force many TPRM programs to focus on a relatively small number of critical vendors if any at all. Yet organizations also have a long tail of vendors who provide more minor services that are ignored but can create meaningful attack vectors for threat actors. This issue is compounded in maturing TPRM programs that rely on labor-intensive spreadsheet management and other manual risk assessment processes.

Lack of cybersecurity expertise
TPRM programs tend to be driven by risk management professionals with skill sets better suited to manage financial, operational, compliance, strategic, and reputational risks. They work with IT or security professionals when in-depth assessments are required. Given the dynamic nature of cyber risk, the need for more expertise and dependence on security professionals can delay risk mitigation of active threats or novel vulnerabilities.

What is a Supply Chain Cyber Risk Managed Service?

As discussed before, teams in the Vendor Risk and traditional TPRM space aren’t calibrated for the cyber risks they are now facing, and they find themselves unable to keep pace with breaches, CVEs, assessments, and more. A team to respond to dynamic cyber risks can be built, but that takes time and more money. That is where supply chain cyber risk managed services come in.

Supply chain cyber risk managed services are technology-enabled services that prevent third-party breaches. This type of service leverages artificial intelligence, risk and threat telemetry, and elite cybersecurity experts to improve an organization’s supply chain cybersecurity posture.

Supply chain cyber risk managed services have three capability pillars, all delivered by a Vendor Risk Operation Center (VROC). A VROC comprises professionals with experience in cybersecurity investigations across government and private sectors and expertise in digital forensics, incident response, threat hunting, and third-party risk management.

What isn’t a Supply Chain Cyber Risk Managed Service?

As discussed, Supply Chain Cyber Risk Managed Services offers multiple value propositions. Given the pace of innovation and investment in the security industry, other solutions may provide overlapping capabilities, but none of them constitute a complete Supply Chain Cyber Risk Managed solution.

Managed security services
Like supply chain cyber risk managed services, managed security services offer outsourced security program management. The difference is in their scope. Managed security services focus on protecting internal assets and remediating issues within the customer organization, while supply chain cyber risk managed services focus on remediating an organization’s attack surface, which includes its own digital footprint and that of its third-party ecosystem. 

Managed questionnaire services
Specialized firms can handle the creation, distribution, collection, and analysis of risk assessment questionnaires sent to third-party vendors. However, these only gather evidence using questionnaires. Supply chain cyber risk managed services go beyond these services since they review attack surface data that can’t be captured in questionnaires and work directly with vendors to explain findings and drive remediation.

Technology onboarding services
Supply chain cyber risk managed services are built on a technology platform, and other vendors offer similar technology platforms. These vendors also have services designed to accelerate the platform deployment, but once deployment is complete, the customer is fully responsible for managing the platform’s use. Unlike technology onboarding services, supply chain cyber risk managed services can also configure technology for deployment and fully administer the platform on the customer’s behalf.

Evaluating Your Supply Chain Security Needs

Understanding Your Vendors

Strengthening your supply chain security starts with a clear understanding of your vulnerabilities. Evaluating your supply chain security needs involves pinpointing critical points where a breach could cause significant disruption. This could be identifying vendors with access to sensitive data or those managing crucial infrastructure. Once you understand your weak spots, getting to know your vendors better is essential. Assessing their security practices, data handling procedures, and incident response plans helps identify potential risks they may introduce. By prioritizing vendors based on their role and security maturity, you can focus resources on shoring up vulnerabilities and building a more resilient supply chain.

Critical Questions for Vendor Security

Here are some key questions to ask your vendors to gain a deeper understanding of their security practices:

Data Security:

• How do you secure sensitive data (customer information, intellectual property) at rest and in transit? (Encryption standards?)
• What access controls do you have to restrict access to sensitive data? (Least privilege principle?)

Security Practices:

• Do you have a documented security policy outlining your data protection and incident response approach?
• Do you regularly conduct security assessments and penetration testing of your systems?
• How do you update your software and systems with the latest security patches?

Incident Response:

• Do you have a documented incident response plan?
• How will you notify us of a security breach involving our data?
• What steps will you take to contain and remediate a security incident?

Vendor Management:

• Do you have security requirements for your third-party vendors?
• How do you ensure the security of your supply chain?

Visibility into Your Supply Chain Risk

Achieving robust supply chain security hinges on clear visibility into the potential risks lurking within your network.  Imagine a complex map – without a complete picture, blind spots can harbor vulnerabilities. Evaluating your supply chain security needs requires gaining visibility into your entire chain, from raw material suppliers to final product distributors. This includes understanding every vendor, subcontractor, and logistics partner’s security practices. You can pinpoint potential weaknesses by mapping your supply chain and assessing each player’s security posture. This newfound visibility allows you to prioritize vendors based on risk and allocate resources to fortify the most vulnerable areas.  With a clear view of your supply chain landscape, you can proactively address risks and build a more secure and resilient network.

How To Use A Supply Chain Cyber Risk Managed Service At Your Organization

Supply chain cyber risk managed services are ready to meet any organization where it is in its TPRM journey. Its flexibility allows organizations to choose precisely how to do this.

Ad-hoc or inexistent TPRM
At organizations without a formal TPRM program, a supply chain cyber risk managed service creates a foundation for the organization to begin taking action to secure its supply chain. A TPRM program can quickly be established by leveraging well-defined best practices that have been proven to work in organizations of similar backgrounds.

Labor-intensive TPRM
At organizations where a TPRM program is built on manual processes and crushed under the weight of a growing number of vendors and assessments, a supply chain cyber risk managed service can create the efficiencies necessary to close security gaps and ensure compliance. A TPRM program can gain the agility needed to tackle challenging new threats while maintaining a consistent operating model for managing known and ordinary risks.

Standardized and repeatable TPRM
Even organizations with smoothly operating TPRM programs are not immune to budget pressures and must prioritize limited resources. In these cases, a supply chain cyber risk managed service can be brought in to shift focus toward strategic risk management efforts while an independent team administers the TPRM aspects.

How to Measure Success

Metrics to Look At

Risk reduction can be challenging to measure since the goal is to prevent something bad from happening. If nothing bad happens, is it because of actions taken, or was it never going to happen? Despite this characteristic of risk, the performance of a supply chain cyber risk managed service can be effectively measured through metrics proxies for risk reduction.

• Number of vendors monitored – Describes size and scope of the program.
• Vendor response rate – Percentage of vendors who accept the TPRM program onboarding invitation.
• High-risk vendor decrease rate – Percentage of vendors that move from high to low or medium risk.
• Low-risk vendor increase rate – Percentage of vendors moving to low risk from high to medium. 
• Vendor patching compliance – Percentage of vendors who remediate issues after notification.

How to Prioritize Improvements 

Identify high-risk areas: Analyze your supply chain to pinpoint areas most vulnerable to cyberattacks. This could include suppliers with weak security practices, critical infrastructure points, and systems handling sensitive data (e.g., intellectual property).

Prioritize based on threats: Evaluate the types of cyber threats most likely to target your supply chain. Consider common attacks like ransomware, phishing scams, and supply chain infiltration attempts. Focus MDR improvements on addressing these specific threats.

Scalability: Ensure your MDR solution can scale to accommodate future growth and changes in your supply chain.

Integration: Consider how your MDR integrates with other security tools and systems within your organization. Seamless integration helps streamline threat detection and response efforts.

Regulatory Compliance: Factor in any relevant industry regulations or data privacy laws that may impact your MDR requirements.