If you’re reading this in search of the perfect answer for managing your third-party supply chain risk, it’s worth starting this with the (rather honest) disclaimer that there is no simple answer.
This blog is informed by our recent ClubCSIO Annual Information Security Maturity Report and a subsequent Hot Topics session where ClubCISO members discussed supply chains becoming the new security frontier.
Every CISO is grappling with the risks posed by its supply chain. Like many things in security, it’s all about increasing maturity over time and using what’s available (people, processes, and technology) to manage the risk appropriately for your organisation, while trying not to hinder the business.
This year, our ClubCISO Information Security Maturity Report 2022 showed we’re making some headway with supply chain risk. When asked to rate the maturity of their processes to measure, manage and assure supply chain risk, 27% of members stated they’re at a stage of either ‘optimising’ or ‘managed’ this year, as opposed to 23% in 2021 and just 11% in 2020.
However, has this increased focus resulted from supply chains posing a greater risk?
29% of members said that supply chain most affected their ability to deliver on their objectives, while 11% of our members cited their supply chain as the source of a material cyber security incident in the last 12 months.
When diving into this topic further with our members, the discussion became centred around three areas:
- Will supplier questionnaires ever be an effective measure?
- Can suppliers’ cyber security certifications help to ease our risk?
- Do start-ups accept/understand that they are under a spotlight to – can this stifle growth?
Here are some anonymized member thoughts on these topics.
Will supplier questionnaires ever be an effective measure?
Questionnaires are often the starting point of any third-party risk debate, mainly because they aggravate the sender and the recipient it would seem. One member noted that we are all facing off to suppliers and customers, and by just throwing questionnaires down the supply chain, we’re not achieving anything because who really is at the ‘top’ of this supplier pyramid? Often there is a complex supplier eco system at play and a questionnaire isn’t going to provide the context, information or continued assurance needed.
Are questionnaires just trying to do the right thing rather than aligning to a standard and assessing a level of risk? Are they effectively preventing your organisation from being the victim of a breach?
Members agreed that by taking a questionnaire lead approach, we’re just looking at a point in time. It fails to consider the relationship with the supplier, the ever-changing scope of their involvement in your business and the changing personnel on both sides. One member had taken more of a tailored approach to reviewing questionnaires with the supplier and the sponsor in their organisation. This approach gave greater context to the risk posed, but by the CISOs own admission there was no way to scale effectively.
With many of our ClubCISO members receiving questionnaires from their clients, this appears to be more and more of an outdated approach that’s nothing more than a time-consuming way to amass huge amounts of data that quickly becomes outdated.
Can suppliers’ cyber security certifications help to ease our risk?
The lack of confidence in collecting, reviewing, and maintaining data from supplier questionnaires lead the conversation to the possibility of accepting certifications as a level of assurance.
Members had general confidence that SOC 2 Type 2 provided CISOs with confidence over the controls their suppliers had in place. They agreed that this certification provided a robust view of how they look after your data. This came with the caveat that each business context can change this and that’s where a questionnaire can help.
One member shared that a SOC 2 Type 2 certification “provided me with confidence that the vendor/supplier is invested in their security and it’s very likely that their processes are aligned”.
Another member commented, “suppliers like Amazon won’t even contemplate answering your questionnaire. They will just share their SOC 2 report”.
On the counter side, SOC 2 certification comes at a cost. It’s useful for organisations trying to win new contracts, but the level of external auditing means that it could be cost-prohibitive. What’s more, the costs of creating and reviewing a questionnaire or doing an audit?
And much like a questionnaire, context is still key. One member noted that “you’re never going to avoid risk totally. We need to understand if the activities we are conducting are giving us more understanding and insight.”
This raised a key question “at what point do you say no?” Where is the hard stop/dealbreaker for a CISO?
Attendees shared numerous (confidential) experiences but ultimately it was great to hear from one member that “
Is our concern over supplier risk suppressing the growth of start-ups?
Many of the measures were discussed to reduce CISO and supplier effort while improving the understanding of the risk they pose. Is this really an accessible approach for all? Are all these security standards hindering the creativity and accessibility of start-ups?
There were 2 schools of thought on this topic:
- Start-ups should consider security early on. One member commented that “security should never be considered as hindering a start-up as you can do it from the beginning. You don’t have to work with legacy infrastructure. As a start-up working from the cloud makes it much easier”.
- It should be the responsibility of investors. “Investors should have an interest in your security posture as it will impact their investment if you do get breached”. If the start-up doesn’t understand cyber security, it could be hard for them to justify the funds.
Whilst the jury is out on the impact of cyber security controls on start-ups, it was clear from the session and the report that third-party suppliers are getting greater access to our data and managing that risk and continuously monitoring suppliers’ security profile continues to present a challenge.
There is no perfect answer to third-party supply chain risk, with one member declaring at the end: “It’s comforting to know that everyone is suffering, and this isn’t an issue limited to one person or one company.”
Members are all relying on their own experiences. It was agreed that the most logical approach is for fellow CISOs to prioritize the most critical applications to their business and therefore the ones with the greatest access to company data and pose the greatest risk.
There is no standardised approach to this. However, a lot of this is about understanding the business and the risks as it is very easy to miss anything in the area.
Author: Deborah Saffer, Director Information Security at and Advisory Board Member at ClubCISO