How should CISOs approach supply chain cybersecurity?

Concept art representing cybersecurity principles
Nytt DDoS-rekord (Image credit: Shutterstock / ZinetroN)

Amongst the long list of priorities for cybersecurity leaders, potential blind spots in digital supply chains are becoming increasingly critical. While businesses are beginning to get to grips with their own perimeters, the steps to improving third-party security are far less defined. So, as CISOs look to tackle this new frontier, how do you efficiently assure your supply chain partners, and what will it mean for the bigger picture of enterprise security?

The next frontier

While security is never something that is ever truly “solved”, it is fair to say that these days CISOs and their teams recognize the need to have a firm grasp on their immediate (first-party) security, either having the necessary procedures in place or understanding the steps that their organizations need to take in order to understand their risks.

However, when it comes to the security of supply chains which includes not only third parties but include fourth and potentially further down the supply chain, there is still work to be done. In ClubCISO’s most recent annual Security Maturity report, 29% of the organization's member group that responded, listed the supply chain as their biggest barrier to security objectives, making it fourth behind the familiar immutables of staffing, budget and rapid business change for security leaders across the globe. 

We should recognize that supply chains can take many forms. In the digital ecosystem, these can include suppliers that might provide services, i.e., organizations that businesses outsource specific business functions to and also vendors - those that provide the fabric (software providers) upon which businesses run. In relation to these, the ClubCISO report revealed 22% of noted cyber incidents in the 12 months to 2022 were attributed to supply chain vulnerabilities. Depending on whether the vulnerability enters with a vendor or supplier, there are different implications for an impacted business. 

For example, third-party service providers often work closely with their client and hold potentially sensitive internal information, so in this instance it is essential for the business to consider this as an incident to respond to. On the other side, if a software provider presents a security incident, there is comparatively less assurance that the business can take.

The growing complexity, variables and entry points that come with these supply chains are the chief reasons that zero-trust strategies are becoming so prevalent in the security space. This more hardline approach mitigates the risk of supply chain breaches impacting businesses by making security inside the perimeter of a system far more robust, but by no means does it solve the problem entirely. This is because zero-trust authorization is completely ineffective if the third party they are authorizing is already compromised.

Instead, organizations need to assess third-party vendors - where this is possible - and suppliers to ensure they have adequate security that does not risk the integrity of their systems.

Rob Robinson

Rob Robinson is the Head of Telstra Purple in EMEA.

How do you assess supply-chain partners?

Despite growing awareness of the number of dangerous blind spots across supply chains, the practice of auditing third-party partners is still in its infancy. Latest data from the UK government shows that just 13% of businesses review the risks posed by their immediate suppliers, and the number drops even lower (7%) when it comes to the wider supply chain. Because of this, there is no standardization when it comes to the correct approach. How do you audit vendors? How regularly? How do you approach the hundreds of suppliers that already exist in the supply chain?

There are several challenges that need to be addressed. Naturally, qualifying new and existing suppliers from the outset can be laborious, so securing buy-in is crucial - both in terms of investment and cooperation from stakeholders and suppliers. Education may be needed here to address any lack of understanding of the risks of poor supply chain cybersecurity. Other technical challenges include limited visibility over the full supply chain and insufficient tools or knowledge to accurately audit a supplier’s security level.

So how should companies go about this? The first key principle is that security professionals need to be involved in new vendor qualification from the outset, which is not typically the case. When it comes to auditing the security of vendors, the focus needs to be on the value of the information available to the third party, and not just the sheer volume. Identify your ‘crown jewels’ and audit top-down from there. Once you have established an approach to supply chain audits, start by applying this to new supplier relationships. Once the approach has been refined and is working successfully, apply it to existing suppliers, reviewing contracts and supporting suppliers where needed.

The bigger picture

Despite the challenges and labor involved, security teams at larger organizations need to start committing to vendor security auditing, not just for the benefits it will bring for their own supply chain security but also as an overall corporate social responsibility. CISOs need to move away from viewing auditing of vendors as a chore and see the bigger picture - larger companies verifying smaller vendors will support growth and make the vendor more marketable elsewhere. This benefit for the vendor also provides more incentive for them to take part in such rigorous security assessments.

Ultimately, this will greatly impact growth and supports the ‘digital ecosystem’ model that most industries are moving towards. As more businesses move to cloud-first strategies and integrate and partner with more companies and vendors to serve customers better and scale up operations faster, this is the direction security practitioners need to move in. Larger businesses that adopt this approach early will not only protect themselves from one of the leading causes of cyber incidents but will also become more valuable partners to smaller vendors and will ultimately support and improve the cyber security of businesses and industries across the board.

We've featured best business VPN.

Rob Robinson is the Head of Telstra Purple in EMEA. Rob is responsible for driving growth across the region, ensuring that the business continues to enable long-lasting change for any organization.