Why supply chain security is essential to digital transformation [Q&A]
As digital transformation projects mean enterprises are sharing more and more information with customers and suppliers, added focus is placed on the security of that data.
To find out how companies can address this, while still reaping the benefits of AI, IoT and other fast growing technologies, we spoke to Fouad Khalil, VP of compliance at SecurityScorecard.
BN: Why is the supply chain a particular problem area?
FK: As an organization you have a perimeter around your systems. As soon as a data element or process passes that perimeter, your control lessens, your visibility lessens, and it's in the hands of partners and supply chain vendors.
This is why we started looking at cyber risk and other customers. Yes, we have gotten better at minimizing this type of risk, but I think some others for the sake of conducting business may deem certain controls not to be as critical. So they may bypass our controls to get the job done. And you see that a lot. Control assessment is not the same with a vendor and third parties as it is within the organization. Visibility into what your supply chain vendors are doing is critical for compliance.
BN: Is this something that is being made worse by digital transformation projects?
FK: Definitely. I mean if you look at the current technology deployment, nothing has changed. Look at artificial intelligence, look at IoT, look at cloud deployment. The need is increased, and the risk has meant due diligence has become a little bit harder. It's a challenge to meet those requirements and make sure that you are compliant and the risk is minimal.
I am finding more and more organizations, leaning towards automation any which way possible. I know organizations are leaning more towards tiering their vendors so they can prioritize the resources and time on their hands to be able to assess risk effectively. The higher the tier a vendor, the more access to PII or sensitive information proprietary information is going to be critical than maybe when handling documentation process, for example. So that tiering enables the organization with automation to do more with less.
Also a lot of organizations are more moving towards continuous oversight, but not necessarily a deep dive like a normal site assessment. What I mean by that is, there's so much going on in some cases where a mandatory pen test is required, I may be comfortable enough to conduct a perimeter cyber assessment, and then conduct a less frequent questionnaire to verify my process.
BN: Does this mean stricter governance of partners and stricter auditing of supply chains?
FK: If you look at governance risk management and compliance (GRC) as a whole, people are weakest link and technology is used to boos capabilities, from a technical perspective, to maintain control environments. This is one aspect of looking at the highest tier vendors and monitoring those continuously with other on a lesser frequency. With higher tier vendors you need to enable a some level of continuous auditing visibility. Again, do what you can with the research that you have, an audit may be as simple as a critical questionnaire that enables you to ask the right question and get the feedback that you're looking for, so you can get some level of evidence to give you the assurance that your control is effective.
I've seen organizations going as far as identifying which framework impacts the business, meaning either they're GDPR compliant or NIST or ISO, and they will include contract terms for that framework so that vendors are compliant not just by standard requirements, but they meet a lot of the laws they expect to comply with all in the same agreement the vendor is executing. And that gives them a bigger hammer and a one stop shop, when it comes to needed instructions.
BN: Do you think this might be an area that governments start to get interested in and actually want to try and legislate for some form of supply chain security?
FK: As you look across the globe you may see countries doing things differently. In the US, considering the financial impact across the board, they may ease up on SEC filing or other financial aspects of region or government mandates. But I see more stringent requirements coming from state and privacy regulators.
So, in the current environment, in order to keep the businesses running you may see a little bit more leniency on the financial side, but see a lot more stringent controls and a lot more involvement when it comes to privacy and professional data, such as enforcement of privacy controls like GDPR, or New York organizations having to abide by NY DFS and much more. So you're going to see different levels.
BN: Is there a sweet spot in terms of the sort of balance between protecting supply chain data and making use of that data to make the business more efficient?
FK: You have to prioritize what you control. In some cases, you may lower the specific controls to allow the business to continue function to allow the vendor, and supplier to continue providing. At the same time, become more stringent with others. So it's a balancing act, and again, depending on the tier level and the type of data and information that vendors are responsible for, but allowing you to evaluate the control environment. There are certain key controls you should never give up on it as it relates to access management network security and things like that. But you may be less concerned when it comes to availability of back end systems or maybe less concerned with free levels of approvals from production changes and things like that. So it depends on the scenario, we should always be ready to resurrect what we have and be able to refit what we developed and make sure that we're complying to.
BN: Does this mean responsibility for looking after supply chain security is going to be moving beyond IT and into other parts of the business?
FK: I would hope that is the case today, and it should not be just for the current times, for an enterprise every stakeholder in that organization owns some aspect of the risk. And the business shouldn't be interrupted by a vendor or supply chain, they are responsible for maintaining the same facility. So each business unit involved will own a particular data and issue compliance. So in my opinion, it should be current practice -- without any challenging times -- to extend ownership of risk across all positions, and it's not just IT, you're interested in legal documents, auditors, it's crucial to enable us to maintain compliance and maintain visibility.
BN: How does this affect building relationships with new vendors?
FK: When you're looking at signing a contract with a vendor and looking for a long term position, you must get started on good solid grounds. To me that means the contract terms and conditions must identify baselines and acceptable thresholds on performance and cyber posture and so on. The contract needs to identify areas in the regulations and standards, and the laws that we need to live by. Once you've signed then continuous dialogue, continuous oversight and continuous audits are needed to maintain that good relationship and compliance. If you start off the right track you will continue on right the right track. If you start off missing some components that are critical to the program those will haunt you until you take action to remediate.
Image Credit: Manczurov/Shutterstock