Supply chain complexity has exploded recently. This is especially true for technical supply chains that involve software and cloud service providers. Adding to the complexity, many organizations define supply chain risk differently. Some focus on vendors and their providers. Others talk about software supply chains and the open-source ecosystem. Still, others are focused more on the physical IT equipment coming into their networks as well as how and where it’s sourced. Some of this definition is informed by industry and the general risk posture.
Implementing a proactive supply chain risk management approach needs to be a top priority for CISOs. This starts by identifying what kind of supply chain problems are relevant for you and then developing a strategy for each layer.
This article will focus on the process that CISOs can take to map out a supply chain risk management strategy for their organization.
As I mentioned above, identifying the elements of your organization that are relevant is essential. Ask yourself the following questions as you begin:
- Are there any elements of supply chains called out by compliance standards to which your organization is subjected?
- Have similar organizations experienced a supply chain security issue that surfaced in the news (e.g., Target, Equifax, etc.)?
- How large is your organization and how is it constructed from the perspective of departments, resources, IT, etc.?
Answering the questions above may help in identifying and prioritizing relevant elements of the supply chain that warrant time and resources. The following areas might also be worth considering in your organization, though this is not an exhaustive list:
- Open-source libraries used in software developed in-house
- Software bill-of-materials (SBOM) for software used but developed elsewhere
- Cloud service providers and traditional service providers (accounting, legal, etc.) in use
- The key service providers and infrastructure providers from your cloud service providers
- Third-party contractors in use throughout the organization
- Firmware in use on physical IT devices
Building a Plan
Once you have a roughly identified and prioritized list of supply chain elements to focus on, it’s time to build your plan. Each element of your supply chain risk may require different specific tactics to deal with, so a flexible framework is key in order come up with solutions. The NIST CSF framework is a great place to start.
- Identify: How do we identify and track all relevant assets in this supply chain? How deep do we want to go in terms of dependencies in our supply chain?
- Protect: What is the appropriate mechanism to protect each identified asset? Or perhaps the better question is, how do we protect the organization from each identified asset?
- Detect: How do we detect when something has gone wrong? Will this require third or fourth parties to be forthcoming with details about an issue, or can we detect things ourselves?
- Respond: When something does go wrong, what’s the proper way to respond? Do we need to engage other departments within our organization such as engineering, legal, or PR?
- Recover: What steps do we need to take to get back to a state of normal after something has gone wrong? What did we learn and how will we change because of it?
Supply Chain Risk Management Tactics
Supply chain issues deal primarily with things outside an organization. Risk management tactics differ based on who can actually make the change. Depending on the scope of the work, there may be things you can do directly to manage risk, such as patching open source libraries.
For many supply chain-related issues that have to deal with third, fourth, or beyond parties, we must work through other mechanisms, such as legal contracts. These things typically cannot happen without some pre-work, particularly in the realm of relationship-building between the CISO and other departmental counterparts.
Explore the “respond” and “recover” questions above with peers across the organization. It’s likely that these activities span beyond the purview of the cybersecurity team or function.
Supply chain risk management must be a focal point of the modern CISO’s strategy. Building this strategy, though, must be contextualized and not be overly influenced by external prescriptive guidance.
Each organization is different. Its compliance and risk posture are unique. The way the organization designs its hierarchies and resources is unique. All of these things and more influence where and how the CISO should prioritize a supply chain risk management strategy.
Want more cybersecurity insights? Subscribe to the Cybersecurity as a Business Enabler channel: