Vendor Risk Management

New Study: Organizations Struggle to Manage Cyber Risk in Their Supply Chains

Brian Thomas | June 11, 2019

A new report from McKinsey & Company sheds light on something we’ve known for many years – organizations are struggling to make significant progress in managing cybersecurity risk in their supply chains.

A key issue is that the risk landscape has changed dramatically in recent years. Historically, the C-suite and board of directors have been concerned with long-acknowledged third-party risks such as quality issues, compliance violations, management changes, and bankruptcy. Today, globalization and an increasingly interconnected supply chain have broadened the risk landscape to encompass new threats. Indeed, just this week, Quest Diagnostics, one of the biggest blood testing providers in the country, warned that nearly 12 million of its customers may have had their financial and medical information breached due to an issue with one of its vendors.

In the wake of these new liabilities, it’s becoming increasingly apparent that organizations must move the needle on supply chain risk management. The question is how?

You don’t know what you don’t know

Key to any progression on this issue is knowing what you’re dealing with. However, as the McKinsey report finds, most organizations don’t know where to start.

Unfortunately, achieving transparency into the security posture of hundreds or thousands, of suppliers in a single supply chain is hard to achieve. Organizations must also contend with proprietary data restrictions. Some vendors, particularly Tier 1 or 2 suppliers, may not want an end customer poking around in their supply chain network looking for indications of cyber risk.

The scope and scale of risk is also incredibly complex. IT and security teams can quickly become overwhelmed as they scramble to ascertain a vendor’s security rigor. Yet without this insight, it becomes impossible to address, quantify, and mitigate cyber risk.

Like a credit score for your vendor’s security posture

You need insights to be presented in an easy-to-understand manner and backed by data that correlates to potential security incidents and context. Security ratings can be highly effective in identifying risky vendors and potential supply chain vulnerabilities. These ratings can help you streamline contingency planning and put procedures in place to protect your organization from an attack or breach in your supply chain.

Security ratings are the cybersecurity equivalent of a credit score. Just as lenders view credit scores to grade how responsibly an individual manages their financial obligations over time, CISOs can use security ratings to quickly and easily communicate the scale and severity of a risk in the supply chain to a non-technical audience in the C-suite, boardroom, or with the vendor in question. Using this high-level, objectively-derived data can simplify the conversation around risk.

Like credit scores, security ratings are based on a scoring system and range from 250 to 900 – the higher the score the less risk the vendor poses. In fact, our own research shows that organizations with a security rating of 500 or lower are five times more likely to be breached than those with rating of 700 or higher.

A proactive, not punitive, approach to vendor risk 

With a common understanding of risk, first- and third-parties can foster a proactive and collaborative approach to risk management. You can work together with your vendors to remediate risks across the supply chain – before a breach becomes a reality and jeopardizes your business relationship.

Security ratings are especially useful to manage cyber risk in supply chain interactions where transparency has historically been lacking. Because these ratings rely on verifiable, externally observable events or trends it becomes much easier to get around proprietary data restrictions that limit visibility into the security posture of each link in your supply chain. Using this capability, you can drill down into potential issues on your vendor’s network, their patching cadence, and other vulnerabilities even your vendors may not be aware of.

Manage supply chain cyber risk with speed and conviction 

Currently, 59% of breaches originate with third-party vendors. As globalization brings new and complex supply chain risk management worries, that number is likely to grow. As you seek to manage and mitigate the risk of known, unknown, and even “unknown unknowns”  in your supply chain, a comprehensive third-party risk management program that utilizes security ratings can help you quickly scale your monitoring of third and even fourth parties. Armed with these insights, you can make risk decisions with greater conviction, speed and effectiveness.

5 tips to manage third-party risk

Suggested Posts

Can Your Vendor Assessments Be More Efficient?

If you’re using a “one-size fits all” approach to managing your vendor lifecycle, you are missing opportunities to save money and operate more efficiently. Vendor management efficiencies don’t end in the onboarding stage: using a...


Do You Have The Right Vendor Management Policies?

If you’re experiencing frustrating delays and procedural roadblocks during your vendor management process, you’re not alone. Security managers are seeing an increase in the number of third-parties integrating with their business, and ...


3 Ways To Make Your Vendor Lifecycle More Efficient

During this dynamic and stressful workplace environment 2020 has brought us, finding the most efficient ways to perform in your job has never been more important. When it comes to managing your vendor lifecycle, there are three ways you...


Subscribe to get security news and updates in your inbox.