Posts Tagged ‘supply chain’

Long tails and poverty lines; cyber risk in the supply chain

This week I’ve been attending the third cybersecurity roundtable hosted by the Institute of International Finance (IIF) at their 2018 IIF G20 Conference. The roundtable itself included a good discussion with regulators and firms as well as a summary of the IIF paper on cyber regulatory fragmentation. This paper is not yet published but will be available here.

Some of the side meetings I have had with regulators and other firms have highlighted some interesting issues; the Deutsche Bundesbank described some work they had undertaken from a macro-financial stability perspective on modelling cyber risk across the German financial services sector. What was interesting was that they had started to extend their view beyond the financial services firms to include the ‘cyber network’ of suppliers and outsourcers that underpin the sector.

The value of supply chains in cybersecurity risk management is something I have written about before. In my opinion, the third party assurance ‘industry’ that we have all created doesn’t wash its face regarding risk management outcomes versus the cost and effort required to send and complete all these interminable questionnaires. One of my concerns was that we are hugely exposed to aggregation of cyber risk in the supply chain, and this crystalised when the APT 10 / Cloud Hopper campaign was identified in 2017.
(more…)

20 questions on cyber-supply chain risk management

I recently wrote an article for Banking Technology that has been generally well received, I’ve decided to include it here on the blog for future reference. I’ve enjoyed working with Banking Technology and thoroughly recommend the editor David Bannister who has clearly been around the block enough times and has a wealth of experience in the field.

Managing cyber supply chain risk is an unsolved problem that has increasingly drawn my attention as I discover new risks and new failures of risk management in this area. The OECD found that 73% of services traded in OECD countries are ‘intermediate’ services or services that are intermediate inputs into a final service or product that is consumed. That statistic lies behind some of my concerns regarding aggregation and correlation of risk within and between different sector supply chains that are not immediately obvious.

This also highlights the complexity of supply chains in the modern economy. I believe that supply chain cyber security in the age of industrialised and targeted cyber-attacks is a wicked problem [PDF] and that many of our current approaches to manage these risks do not address the nature of the underlying risks and instead focus on a fairly superficial view of the technological controls operated by ‘key’ suppliers. There are more innovative approaches being developed such as Red teaming suppliers or actively monitoring supplier cyber hygiene but I am not seeing these regularly being built into coherent cyber supply chain risk management strategies yet. I hope the high level article below goes some way to encouraging this.

The original text is presented below and was published here.
(more…)

Business Partner and Supply Chain Cyber Security

I’ve recently been involved in some strategic cyber security work in the UK financial services sector. The financial services sector is a complex and coupled system. While some components are clearly more important there are few components that are inconsequential if they cannot be relied upon. No financial services organisation is independent in what is a highly cooperative sector.

Currently the Information Assurance aspects of reliance on partners and supply chain throughout the sector is handled through third party assurance. Every organisation assesses and is assessed by every other organisation breeding an expensive and distracting industry of rolling security controls assessments.

(more…)

Twitter RSS