How the Great Supply Chain Disruption Affects IT Security
The “great supply chain disruption” is causing chaos around the world for everyone from farmers to automakers to consumers. What is less appreciated is that supply chain changes can pose new challenges not just for logistics, but for IT security as well.
New ways of working can increase the resilience of an organization, but they require additional levels of disclosure and uberrimae fides — utmost good faith — between security teams, and not just a tick-box approach.
For the last few years, one of the main topics in the cybersecurity world has been the dissolving perimeter, which increasingly places resources and assets outside our immediate sphere of control. Critical applications are now held within other computers in the cloud or accessed by remote users on their personal devices.
The response has been an evolution in security, where checks and balances are performed by a variety of controls that authenticate the user, their devices and the data stores at the point of access.
One key area that affects an organization’s security posture is its business relationships with third-party suppliers who provide the parts and content to produce an organization’s products.
In simple terms, there are two main strategies: relying on a small group of critical specialist suppliers or on multiple suppliers. The latter reduces the risk of a single point of failure to production, as if one supplier fails then an alternative can be used to ensure production resilience. Alternatively, an organization may adopt a strategy to focus on a close relationship to reduce costs or simply because there are limited suppliers producing that particular item. Disruption to this element of the supply chain may impact the resilience of the organization severely.
This risk will ebb and flow as the nature of the supply chain changes. For example, when faced with volatile changes in shipping rates, some firms have decided to onshore production to new partners. With closer technology dependencies between organizations and suppliers, security teams need to be able to react swiftly to these changes.
Meanwhile, how we view these third-party relationships from a security perspective should also change to match the business strategic need. The further along the chain and the further away from the organization, the more difficult it is to understand the risk posed with the third parties. As one CISO said to me, “With immediate suppliers you can learn how to trust; beyond them you need to learn how to pray.”
How IT Teams Can Respond
A typical approach involves third-party assessments in which the status of controls is requested. This is generally designed to make sure that core frameworks such as NIST, ISO 27001, or CIS are followed. These assessments can be time consuming for all concerned.
The next step should be a more proactive approach with joint activities to ensure that there is alignment and understanding between the security teams in the supply chain. One of the characteristics is the willingness to collaborate. Greater communication, backed up contractually if necessary, is needed. These CISO-to-CISO conversations may feel awkward, but they are necessary, the authors of a recent McKinsey.com article stressed.
In fact, more than just conversations are needed. Already CISOs often chat offline. However, more concrete steps might be necessary with key suppliers. These might include:
Running joint exercises to understand when, where and how incidents may occur.
Joint penetration testing with shared results to identify potential issues.
Creating response plans so that coordination activities can be implemented instantly.
Developing close links between security operations centers so that any potential attack is identified amongst the teams.
Setting up communications links between teams looking at intelligence feeds so that they can compare notes and alerts.
It can be argued that these approaches may occur through industry bodies already, but a more proactive stance will require more specific actions with key third parties and not just audits and assessment.
This change in thinking also requires gaining buy-in from the business colleagues who may be reluctant to share sensitive information.
The risks and the mitigation need to be clearly communicated along with the business benefit of increased resilience. Within the governance model executives will need to be briefed on the systemic risk of third parties from the security aspect, and an evaluation of third-party risk should be promoted as part of board responsibility.
So, while supply chain disruptions present new IT challenges and risks, those risks are not insurmountable with thoughtful, strategic cooperation within organizations and between partners.
Try Duo For Free
With our free 30-day trial, see how easy it is to get started with Duo and secure your workforce from anywhere, on any device.