During my career, I have helped several firms design and operate supply chain cyber risk management (SCCRM) programmes.
I have some ongoing concerns that I have posted about before about the industry focus on self-reported checklists of various quality. I also have some heightened concerns regarding the use of externally harvested indicators of security by ‘security ratings’ providers.
I wrote some time ago about 20 questions to ask yourself about your Cyber Supply Chain Risk Management, and these stand the test of time as an excellent benchmark against which to consider your broader programme. However, until we develop alternatives, we must make the best use of the tools available to us. If you are in a regulated industry, there is a good chance that the expectations of your regulator include a questionnaire-based ‘assurance’ process.
There are standards available for this such as ISO 27036 (Information technology — Security techniques — Information security for supplier relationships — Part 2: Requirements) which layout comprehensive lists of areas for assurance. The grouping of controls in ISO 27036 is below:
- Governance, Risk & Compliance
- Systems Management
- Physical Protection
- Access Management
- Security Monitoring and Response
- Network Connections
- Electronic Communications
- Business Control
- System Development
- Contractual Controls
It’s worth bearing in mind this is an extensive list of areas to be assured, each with sub-controls with questions and answers and those answers will need specialist security staff time to assess. When working for a large global firm, I was in a stronger position with my supply chain to enforce these as a requirement. Still, even then the extent of our supply chain and the purchasing managers common desire to move quickly meant that we couldn’t assure every answer to every question or even ask every supplier every question. Even then some suppliers were too big to care or too small to be capable.
This volume of work leads to a need to triage supply-chain participants. We need to triage them into those that can cause the most harm and those that are less likely to. When dealing with procurement colleagues, or even compliance colleagues, inevitably, there has already been some prioritisation, but it is highly unlikely to match the cyber risk exposure from each firm. Procurement colleagues look to deal size for prioritisation and compliance colleagues tend to look for the geography the supply comes from and the nature of the business. In cyber risk, we have different areas of concern, and we need to triage differently.
When triaging third-party assurance or cyber supply chain risk assessments, there is a context that we need the purchasing manager to provide as follows:
- Who is requesting the product/service?
- What are the requester’s contact details?
- Who is the requester line manager?
- What is the product/service called?
- What does the product/service do?
- How is this being done now?
- Is this an existing supplier?
Answering these questions allow us to get a start on what it is we are looking at assessing and also provides valuable information we will use during the actual assessment and ultimately the decision phase.
We then need some specific information about the implicit cyber risks of using the product or service to allow us to triage how deep of an assessment we should conduct and how flexible regarding our security requirements we can be:
- Does it process or hold our financial data?
- Does it process or hold our business strategy?
- Does it use our branding or logo?
- Does it process, access or hold our customer data?
- Does it process, access or hold our staff data?
- Does it process, access or hold our intellectual property?
- Does it communicate with our customers?
- Does it complete financial transactions?
- Does it access our systems as an administrator or equivalent?
The answers to these nine questions can allow us to prioritise our time. How your team implements that prioritisation is dependent on the cyber risk tolerance of your business. An example from a smaller firm with a growth-orientated risk tolerance includes:
- If the answer to all nine is no then it is low risk, security guidance is provided to the purchasing manager, but no assessment is required, and this decision doesn’t need to be reviewed for three years.
- If the answer to any of the questions 1, 2 or 3 is yes, then it is medium risk. We care about how well the supplier is managed. The standard questionnaire is sent, but only a core set of questions is mandatory, and the requestors line manager can formally accept the risk of any exceptions. The decision is reviewed in two years.
- If the answer to any of the questions 4 to 9 is yes, then it is high risk. We care about how well the product or service security is managed. The standard questionnaire is sent, ALL questions must be answered, and the CISO (or equivalent) must approve the acceptance of any exceptions or else escalate to the risk committee. The decision on high-risk suppliers is reviewed annually.
In that example, the workload reduces for the security team while maintaining the focus on those suppliers where a breach could have the most significant consequences for the business. A model such as that shown above could be made mostly self-service for purchasing managers improving their experience of working with security and reducing the workload of the security team even further.
This is a simple example of applying a sensible, simple; cyber risk model can both reduce bureaucratic work and improve the value of what is produced.