A new report from McKinsey & Company sheds light on something we’ve known for many years – organizations are struggling to make significant progress in managing cybersecurity risk in their supply chains.
A key issue is that the risk landscape has changed dramatically in recent years. Historically, the C-suite and board of directors have been concerned with long-acknowledged third-party risks such as quality issues, compliance violations, management changes, and bankruptcy. Today, globalization and an increasingly interconnected supply chain have broadened the risk landscape to encompass new threats. Indeed, just this week, Quest Diagnostics, one of the biggest blood testing providers in the country, warned that nearly 12 million of its customers may have had their financial and medical information breached due to an issue with one of its vendors.
In the wake of these new liabilities, it’s becoming increasingly apparent that organizations must move the needle on supply chain risk management. The question is how?
You don’t know what you don’t know
Key to any progression on this issue is knowing what you’re dealing with. However, as the McKinsey report finds, most organizations don’t know where to start.
Unfortunately, achieving transparency into the security posture of hundreds or thousands, of suppliers in a single supply chain is hard to achieve. Organizations must also contend with proprietary data restrictions. Some vendors, particularly Tier 1 or 2 suppliers, may not want an end customer poking around in their supply chain network looking for indications of cyber risk.
The scope and scale of risk is also incredibly complex. IT and security teams can quickly become overwhelmed as they scramble to ascertain a vendor’s security rigor. Yet without this insight, it becomes impossible to address, quantify, and mitigate cyber risk.
Like a credit score for your vendor’s security posture
You need insights to be presented in an easy-to-understand manner and backed by data that correlates to potential security incidents and context. Security ratings can be highly effective in identifying risky vendors and potential supply chain vulnerabilities. These ratings can help you streamline contingency planning and put procedures in place to protect your organization from an attack or breach in your supply chain.
Security ratings are the cybersecurity equivalent of a credit score. Just as lenders view credit scores to grade how responsibly an individual manages their financial obligations over time, CISOs can use security ratings to quickly and easily communicate the scale and severity of a risk in the supply chain to a non-technical audience in the C-suite, boardroom, or with the vendor in question. Using this high-level, objectively-derived data can simplify the conversation around risk.
Like credit scores, security ratings are based on a scoring system and range from 250 to 900 – the higher the score the less risk the vendor poses. In fact, our own research shows that organizations with a security rating of 500 or lower are five times more likely to be breached than those with rating of 700 or higher.
A proactive, not punitive, approach to vendor risk
With a common understanding of risk, first- and third-parties can foster a proactive and collaborative approach to risk management. You can work together with your vendors to remediate risks across the supply chain – before a breach becomes a reality and jeopardizes your business relationship.
Security ratings are especially useful to manage cyber risk in supply chain interactions where cybersecurity transparency has historically been lacking. Because these ratings rely on verifiable, externally observable events or trends it becomes much easier to get around proprietary data restrictions that limit visibility into the security posture of each link in your supply chain. Using this capability, you can drill down into potential issues on your vendor’s network, their patching cadence, and other vulnerabilities even your vendors may not be aware of.
Manage supply chain cyber risk with speed and conviction
Currently, 59% of breaches originate with third-party vendors. As globalization brings new and complex supply chain risk management worries, that number is likely to grow. As you seek to manage and mitigate the risk of known, unknown, and even “unknown unknowns” in your supply chain, a comprehensive third-party risk management program that utilizes security ratings can help you quickly scale your monitoring of third and even fourth parties. Armed with these insights, you can make risk decisions with greater conviction, speed and effectiveness.