The Challenge Of Continuous Assurance For Supply Chains
Steve Durbin is Chief Executive of the Information Security Forum and member of the Forbes Business Council.
Building resilience and agility into a supply chain to cope with fluctuations in demand and meet business goals is a major challenge. To craft a network that spans multiple continents inevitably introduces a high degree of complexity. Working out the logistics is only part of the problem; organizations also need oversight of every link in the chain to ensure that security is properly maintained.
This monumental task requires efficient collaboration across a complex web of manufacturers, suppliers, distributors, customs authorities, and the list goes on. Continuous assurance in the supply chain allows the process to be managed securely, following stringent regulations, but it also requires careful planning and analysis.
Identifying Potential Threats
Any large organization must work with thousands of suppliers, which makes supply chain management a complex and daunting proposition. According to Gartner, “89% of companies have suffered a supplier risk event in the past five years.”
It’s crucial to assess likely threats and develop a tiered system, or a kind of triage, to ensure that the biggest risks are addressed first. The reality is that resources are finite, so prioritization is essential. Security must also be balanced with usability and efficiency.
To build transparency, start by asking questions. Consider the part each supplier or partner has to play in your supply chain:
- What kind of data are they processing?
- What impact would it have if a particular service went down?
- Which companies are internet-facing?
- What is the potential exposure for your organization if an incident occurs?
- Then, identify all the threats and rank them.
Establishing Trust
Building trust is important in any business relationship, but it can be tricky. You should set out security expectations clearly in every contract. While suppliers fill out self-assessment questionnaires, you must follow that up with investigations and audits. Apart from the risk that self-assessment questionnaires might not always be filled out completely truthfully, they are also resource-intensive to analyze and extract meaningful data from. Even then, you often only get a snapshot of security standards, when real-time visibility would be far preferable.
With primary vendors or strategic partners, those with network access that you work closely with, it’s important to employ structured governance and foster open communication. It takes effort to build a strong, open and honest relationship, but it’s worth the effort if you can solve problems together without having to talk about contractual breaches.
Self-assessment questionnaires might work best as a prioritization tool, highlighting suppliers that need further assessment. Remember to consider the subcontractors of your suppliers and assess them where necessary to ensure they adhere to your standards. While it’s good to build trust, some level of visibility into operations is also vital.
Building A Real-Time View
Regular meetings, assurance reports and penetration tests all have parts to play in keeping track of your critical suppliers continuously. Probe for vulnerabilities, and monitor suppliers for security incidents. Patch into your supplier’s systems to track real-time progress wherever possible. Deeply integrate data and processes into your infrastructure, and run analytics to ensure potential risks are identified and flagged before they develop.
There’s also value in applying any threat intelligence monitoring that you do for your own business to your suppliers as well. Look for new domains targeting partners and any other evidence of targeted attacks. Make sure you’re aware of critical patch status and any vulnerabilities that arise with software partners. When you do identify problems, make sure there’s a process in place and a communication channel open that you can work with to mitigate the issues.
Taking A Flexible And Pragmatic Approach
Managing the inevitable problems that arise and finding elegant solutions that ensure everything gets where it needs to be on time is an ongoing challenge. Sensitive data must be safeguarded throughout the process. Make sure that you have options and flexibility to switch routes and suppliers when you need to.
Continuous assurance requires determination and a balance of trust and testing. There’s no single strategy or tool that will deliver what you need. Ultimately, it’s nearly impossible to have a truly complete real-time view of your entire supply chain, so be pragmatic and focus on where the greatest risks lie.