Mitigating Security Risk: 4 Supply Chain Strategies To Implement
Melissa Stevens | April 14, 2016
You can’t prevent everything from threatening your data or on your network. Any experienced CISO will tell you this flat out—adding that exploitation is simply a fact in today’s threat landscape.
But you can put a number of controls in place to help soften the potential fallout. Below, we’ve rounded up four extremely important supply chain strategies you should implement to help lessen the possibility of a catastrophic data loss in your organization.
1. Identify all of your critical third parties.
Third parties of any sort—including any and all software providers, business associates, contractors, and subcontractors—may expose you to cyber risk that could be potentially harmful or even catastrophic for your organization. If a particular third party is hacked or exploited, your sensitive data or corporate network could pay the price.
There are three basic categories of companies in your supply chain that you should care about when you’re diving into supply chain strategy:
Software companies: You are concerned with this company’s ability to write secure code that will end up on your network. For example, a software provider that you acquire code from may have inserted vulnerabilities into that code (intentionally or unintentionally). That code could then be exploited from a malicious actor, which could result in loss of data, operational disruption, or general harm to your organization.
Contractors connected to your business environment: You are concerned with this company’s ability to handle your data (or their connection to your network) appropriately.
Contractors not connected to your business environment: You are concerned with this company’s ability to implement appropriate levels of security, so malicious threat actors cannot cause damage directly to your organization.
Identifying which vendors are critical in each of these three categorizations is an important strategic move. In order to manage supply chain risk, you need to have an idea of what your critical third parties are all doing to secure their software or implement the right security measures.
2. Assess the risk profile of each of your critical vendors.
You’ve now determined which of your vendors fall under the categorization of “critical”—but that doesn’t mean that each of your critical vendors holds the same level of risk. For example, Vendor A may hold the same number of trade secrets as Vendor B, but Vendor A could be more critical because of the level of network access they need to have.
Managing the risk that each party creates is something you should take into consideration immediately. You can mitigate some security risk in the following ways:
Penetration tests and vulnerability scans: These measures allow you to take a look at the vendor’s security performance. But keep in mind that they only offer a snapshot in time.
Vendor questionnaires: You can create a survey for your vendors to complete during the onboarding or acquisition process. But keep in mind that like pen tests and vulnerability scans, the results are static and could lead to a false sense of security.
3. Write detailed security expectations into your vendor contracts.
Do you know with certainty that each of your critical vendors and suppliers has a contractual security obligation to you? This must extend far beyond fiduciary duty and regulated obligation. Once you’ve onboarded your vendors, you need to ensure that your vendors fully understand what you expect of them as the first party. Here are a few things you won’t want to forget:
Specify the processes you require to be in place to protect your data. For example, if you are working with a third party software provider, you’ll want to have a number of procedures and policies in place to ensure that their code is being written with a highly limited number of known vulnerabilities that could impact your data or network.
Ensure that your vendors have a legal obligation to immediately report any security breaches that are outside of industry compliance. If you don’t have specific contractual agreements, your vendor may not be legally obligated to share that, for example, a trade secret of yours was stolen because of a breach in their network.
4. Continuously monitor your third parties.
You’ve gone through a tremendous amount of work to find vendors, identify which ones are critical, assess their security, and write out specific contracts. But frankly, that isn’t enough to mitigate your security risk. You can strategize until you’re blue in the face—but if you fail to monitor your vendors on a continuous basis, you won’t be able to ensure that your information is secure. Continuous monitoring solutions are the final piece of your strategy—they will help you stay on top of any potential security issues.
If you’re using a “one-size fits all” approach to managing your vendor lifecycle, you are missing opportunities to save money and operate more efficiently. Vendor management efficiencies don’t end in the onboarding stage: using a...
If you’re experiencing frustrating delays and procedural roadblocks during your vendor management process, you’re not alone. Security managers are seeing an increase in the number of third-parties integrating with their business, and ...
During this dynamic and stressful workplace environment 2020 has brought us, finding the most efficient ways to perform in your job has never been more important. When it comes to managing your vendor lifecycle, there are three ways you...