Stopping every attack is unrealistic but doing the same thing repeatedly and expecting a different result isn’t going to cut it anymore. Despite years of heavy investment in security controls, organizations aren’t seeing the level of cybersecurity hygiene they need.
If CISOs are to combat emerging supply chain cyber security threats, a new approach is needed. It’s time for CISOs to capitalize on their authority. Rather than throw up their arms and say there’s not much more they can do to reduce risk, let’s look at four things CISOs can do to transform supply chain cyber security risk management.
To ensure that third parties adhere to a company’s security standards, vendors must be properly vetted during the onboarding process. This typically involves point-in-time security questionnaires or assessments. The problem with this approach is that the input is subjective and, without an extensive audit of the third-party’s security program, unverifiable.
A better approach is to use a risk assessment tool, like BitSight Security Ratings. Security ratings provide immediate, up-to-date, and objective data about a third-party’s security posture. These ratings, which range from 250 to 900 with a higher score suggesting a stronger security posture, empower CISOs to compare vendors’ security profiles side-by-side and make decisions based on risk.
With this data in hand, security managers can prioritize which vendors need the most attention prior to onboarding, such as a more in-depth assessment. The result is a more accurate real-time picture of cyber risk than can be achieved by completing costly risk assessments, penetration tests, or vulnerability scans.
CISOs should also push to include cyber security risk in their companies’ vendor contracts. For example, to ensure that vendors hold up to their ends of the security bargain, many organizations are incorporating service level agreements (SLAs) into their contracts. Some require that their vendors communicate and mitigate any security issues within a certain time frame, such as 48 or 72 hours after being detected.
This won’t prevent a third-party data breach, but it will hold the vendor accountable should their cyber risk posture change and they fail to act to remediate it.
Once a vendor is onboarded it’s critical that CISOs lead the security team to keep tabs on the cybersecurity postures of all their vendors – not just the most critical – for the life of the relationship. This means continuously monitoring for vulnerabilities that hackers can exploit to move up the supply chain, such as insecure ports, misconfigured software, botnet infections, and unpatched systems.
With security ratings as part of a third-party risk management program, CISOs can enable their teams to move beyond point-in-time snapshots and continuously and automatically assess a vendor’s cybersecurity posture – without overwhelming them. Using technology that provides instant alerts to indicate when a vendor’s rating falls below pre-agreed thresholds can set an organization up for fast intervention and quicker risk reduction.
Finally, it’s important that CISOs work collaboratively, not combatively, with the vendor community to reduce risk and fix security issues quickly so that they don't end up in a situation like the SolarWinds hack.
This means raising awareness of tools vendors can use to continuously monitor their own digital environment for cyber risk – and even compare their environment to that of their peers.
CISOs can also give vendors access to their BitSight Security Ratings portal with BitSight Enable Vendor Access (EVAs). From here vendors can monitor their ratings, identify vulnerabilities, and get actionable and specific recommendations about how they can strengthen network security.
While the SolarWinds breach poses urgent cyber security challenges, it’s also an opportunity for CISOs to flex their security muscles and assert their executive standing to transform how risk is assessed and mitigated across the vendor ecosystem. Not only will the CISO and the organization benefit from this scalable approach to vendor risk management, but third parties and even fourth parties will be empowered to drive their cyber security efforts responsibly.
In light of recent significant attacks targeting the U.S. government, the Biden administration issued an Executive Order (EO) on cybersecurity on May 8, 2021.
Overall, the EO starts to fill in some critical gaps in US government...
Vendors and third party partners are essential to helping your business grow and stay competitive. But outsourcing to third parties also dramatically increases your attack surface. A recent independent study by Opinion Matters found that...
The SolarWinds supply chain attack did more than just create cybersecurity problems for businesses and government agencies – it has had a strong impact on the mindset of CISOs. Already under stress, the incident further dispirited many...