The rise of the digital supply chain and proliferation of data moving across platforms and among parties requires a new and different kind of umbrella of trust, one that enables increased visibility, agility and performance. But how is this trust built and maintained? And how does one not only trust but verify? These are a few of the management challenges that lie ahead, and they exist in an environment marked by escalating cybersecurity risk.
The number of cybersecurity breaches is growing by 64% every year. While cyber threats come from a wide variety of sources (including nation states, competitors, and organized crime syndicates), 60% of cyber breaches are linked to insiders – current and former employees, contractors, service providers, suppliers, and business partners. These could be insiders within a company or in the companies in the end-to-end supply chain.
In short, everyone in the value chain – from internal employees to external third parties – needs to know what is expected to mitigate and manage cyber risks. It requires a broad approach addressing “people, processes and technology” that is built on policies, procedures, controls, and contractual agreements, supported by monitoring, training, and continual improvement.
The importance of verified trust
The digital supply chain puts more emphasis on the interdependency of companies and the associated need for verified trust. Digital Supply Chains: A Frontside Flip, a whitepaper published in October 2016 by the Center for Global Enterprise (CGE), identified four pillars for managing the digital supply chain: demand, people, technology, and risk. Looking at the four pillars from a cyber perspective, the mission is clear: to reduce cyber risk, companies will need trusted cross-functional collaborations internally – and with verified third parties – that integrate cybersecurity into operations.
The question for many organizations is: how do you embed cybersecurity across a company and with third parties?
As a starting point, one important task is to identify and prioritize what to protect. It is impossible to protect everything equally. Companies must allocate resources strategically to protect the most valuable information, including confidential information, trade secrets, and personally identifiable information at risk.
Companies should also have a map of their critical cyber interdependencies – where is confidential information stored, shared and accessed? What other systems are in place to ensure robust cybersecurity? Is there adequate training, monitoring, and physical and network security in place? A risk assessment can identify key gaps and areas requiring improvement.
Currently, the assessment of third-party cybersecurity programs lags far behind the assessment of many other business performance and compliance issues (e.g., quality, labor, environment, health and safety). Very few companies have started to integrate cybersecurity into their supplier qualification and evaluation programs. The challenge is how to achieve the right level of verified trust.
Some senior executives that oversee supply chain risk management strongly feel that it is not practical or reliable to depend on a self-assessment by the supplier. One member of CREATe.org’s Cybersecurity Advisory Council suggested using a mix of internal staff and third parties to verify supplier performance. Additionally, many companies are turning to the NIST Cybersecurity Framework as a tool for assessing their internal program for managing supply chain cybersecurity and also assessing the maturity of suppliers’ cybersecurity programs and the associated risk.
Companies need to move quickly to manage the risks associated with greater interdependency and digitalization. They need to shift from being reactive to proactive. They need to begin using practical, scalable ways to assess the cybersecurity risks of third parties that incorporate evaluating the maturity of the third parties’ cybersecurity programs. One of the foundational elements of the verified trust approach is the existence of a mature management system to ensure the right business processes are in place for effective cybersecurity.
The collaboration on cybersecurity with third parties needs to be built into contractual agreements, addressing areas such as access control, identity management, training, threat intelligence sharing, and incident response plans. Linking cybersecurity into the broader areas of enterprise risk management and supply chain management will be essential focal points for cross-functional collaboration.
If we look at other supply chain performance and compliance issues, such as quality, corruption, or labor practices, companies typically evolve toward an approach of verified trust. As trust grows and the business relationship becomes more long-term and strategic, companies tend to shift their resources from verification of suppliers to collaboration on mutually beneficial improvement areas. We encourage all companies to learn from experience and move quickly to establish scalable cybersecurity programs that build a verified network of trusted suppliers.