I enjoyed reading Vishal Salvi’s blog called “Ensuring cyber security in digital supply chains.” In the blog, Mr. Salvi states, “As the adoption of digital (supply chains) expands an organization’s business ecosystems, risks abound. It is no longer adequate to maintain internal security hygiene. The perimeter of risk now extends to the entire vendor and partner ecosystem.”
I couldn’t agree more. Every day we see organizations that are being required to show proof of strong cyber security hygiene so they can take part in or remain in the critical business digital ecosystems. Mr. Salvi gives examples of purchasing hardware and software or outsourcing IT; that is just the tip of the iceberg. From the film industry to healthcare to agriculture and payment gateways, digital ecosystems rapidly expand the supply chains of all types of businesses.
As Mr. Salvi also points out, wherever there is growth, there are cyber attackers. In the case of digital supply chains, the weak link that exposes your organization to an attack is a partner in your digital ecosystem who does not take cyber defenses seriously. For the first time, we regularly see the most influential players in a digital ecosystem acting as cyber security regulators to all the other players, regardless of size, in that ecosystem. In short – “if you want to play and make money in our supply chain, you must show that you have your ship in order.”
The effects have been amazingly positive for cyber security and IT professionals because, in this world, cyber security investments become a business revenue driver and not the typical insurance policy. IT and Cyber align with the business units, defining funding and goals based on keeping or, in most cases, opening up new and more profitable revenue streams. Even better, this new alignment is not limited to large enterprises. The shift to digital business across organizations of all sizes means that traditionally resource-constrained IT teams are seeing new projects and increases in funding.
In the past three months, I have seen a rapid increase in the number of small and medium-sized organizations visiting our website to learn about the expansion of defensive controls, continuous monitoring, and instant compliance reporting. This interest comes from industries ranging from film/media to agriculture to medical devices to retail and ranging from 3000 down to 400 employees.
So what should you expect if you are an organization that is asked to meet cyber hygiene requirements?
Here are four lessons we have learned from our customers.
- The compliance body that defines the requirements in these ecosystems is usually the most influential vendor in the supply chain or a governing body created by the members of the supply chain. In either case, the actual audits are often conducted by a firm that has a third party risk management practice (TPRM) like Infosys, Deloitte and other consulting firms. Examples of private governing agencies in Payment Card Industry Security Standards Council – PCI, Motion Picture Association (MPA), and The Public Company Accounting Oversight Board (PCAOB), with many more emerging.
- Most of the compliance requirements requested in the audits are a subset of controls based on either NIST 800–53 or ISO/IEC 27001. If you are familiar with them, there is a lot of overlap with a focus especially in 800-53 sections SR1, 2, and 3. Also, note that these controls do not prescribe the technology needed to complete the controls. The organization may have recommended technologies, but you must determine what technologies fit best.
- The use of the term “audit” is inaccurate within these ecosystems. Risk and control compliance assessments are not scheduled on the calendar. You will not get four weeks’ notice to create your reports and excel sheets to prove compliance. These audits are best described as “continuous compliance,” where the partner organizations in the supply chain need to view your cyber security hygiene on demand. This means your choice of technologies and processes are critical and should be selected based on the ability to show “continuous adherence” to this requirement.
- The “continuous compliance” requirements include SLAs related to incident response and alerting. Amazingly, most organizations do not have threat intelligence and incident sharing systems in place. A September 2022 survey by Trend Micro found that less than 47% of respondents share attack (ransomware) details with partners and less than 25% share any valuable threat intelligence of any kind. If something goes wrong, you have to be able to show that you have taken immediate action. You must also alert the rest of the supply chain partners of your event so they can also protect themselves.
As Mr. Salvi explains, “organizations must continuously monitor and find new ways to protect themselves against the vulnerability arising out of the evolving landscape in the supply chain domain.” For a small, resource-constrained organization, this can seem truly overwhelming. But this is actually an opportunity you do not want to pass up. Working hand in hand with the business units to understand IT system and business process threats, organizational risk appetites, and how to align your cyber security spending while growing the top line of the business is priceless. It will pay dividends across all of your IT and cyber security projects.
Read our latest Solution Brief: Network Detection and Response TCO
And please get in touch with us to learn how CyGlass helps its customers meet supply chain continuous monitoring and cyber security hygiene reporting.
VP Marketing, CyGlass