Gone are the days when enterprise and business assets are secured behind a perimeter of layered security controls. Technology advancement and the boundless need to leverage technology outcomes to achieve efficiencies and meet business goals have changed the narrative. The adoption of digital transformation, cloud computing, Internet of Things (IoT), Industrial IoT, and an increased dependency on outsourcing business needs to specialist third parties, has dilapidated the trusted perimeter. In the past decade, organisations have relied on outsourcing operational requirements to third parties so they can focus on the main business objectives. Supply chain engagements have helped organisations achieve their goals through facilitating and accelerating operational outcomes.
Supply chain, in its simplest form, is the distribution of goods and services to consumers. It allows for low-cost, interoperability, rapid innovation, a variety of product features, and other benefits but also increases the risk of a compromise to the supply chain (NIST, 2022). Technology advancement and adoption introduced a different angle to supply chain, this includes the development, manufacture and distribution of Information and Communication Technology (ICT) products and services; referred to as Cyber Supply Chain. Cyber Supply Chain, like every other supply chain, has their risks, the management of these risks is known as the Cyber Supply Chain Risk Management (C-SCRM).
According to the National Institute of Standard and Technology (NIST), “C-SCRM involves identifying, assessing, and mitigating the risks associated with the distributed and interconnected nature of ICT/OT product and service supply chains. It covers the entire life cycle of a system (including design, development, distribution, deployment, acquisition, maintenance, and destruction)”.
The Australian Cyber Security Center (ACSC) affirms that all organisations need to consider Cyber Supply Chain Risk Management, irrespective of their size, revenue, location etc. “Any organisation that relies on a supplier, manufacturer, distributor or retailer for products and services, has a Cyber Supply Chain Risk component and needs to run a Cyber Supply Chain Risk Management program”.
The ACSC described the building blocks of an effective Supply Chain Risk Management program as:
- Identify the cyber supply chain in the organisation’s processes.
- Identify and understand the risk associated with cyber supply chain.
- Set cyber security expectations – communicate, enforce, and work with suppliers to implement the requirements.
- Audit for compliance – implement assurance processes to ensure the suppliers comply with the requirements.
- Monitor and improve cyber supply chain practices.
Other standards or guidelines exist for Cyber Supply Chain Risk Management, while the building blocks may be different, they all prescribe the identification, mitigation and continuous monitoring and improvement of Cyber Supply Chain Risks.
Regardless of what standards an organisation chooses to implement, NIST advises that it is important that such a program is implemented as an enterprise-wide initiative to ensure informed and accurate risk-mitigating outcomes.
At Brace168, we have the expertise and experience to run effective Cyber Supply Chain Risk Management programs. Starting with a business context analysis, we identify cyber supply chain threats, vulnerabilities, and exposures; and provide informed risk management decisions based on the organisation’s risk tolerance.
We manage the process, people and business-based risks with a Supply Chain Risk Management Strategy and technology-based risks are addressed through threat intelligence and continuous security logs monitoring and incident response activities in our Security Operations Centre (SOC).
Don’t hesitate to reach out to discuss how we can help to implement and run a Cyber Supply Chain Risk Management program to ensure risks to your business are known and managed.
References
https://csrc.nist.gov/Projects/cyber-supply-chain-risk-management
https://www.cyber.gov.au/acsc/view-all-content/publications/cyber-supply-chain-risk-management