Most companies don't want to talk about their supply chains and risk management in the same sentence, let alone bring this topic to the boardroom. Why? Because, as a recent Harvard Business Review (HBR) article points out, "suppliers tend to be optimistic about the information they provide," while companies looking to bolster their bottom lines without breaking the budget are often willing to accept overly optimistic promises, layer in third-party software and hope that's enough to cover any supply-chain risk management issues.
In any other line-of-business effort, this would never fly, but the sheer complexity and multidependency of the supply chain makes it the elephant in the room — and once you've seen it, there's no going back. Now, in a report entitled "Third-Party Application Security Risk: The Elephant in the Room Is Finally Getting Talked About," 451 Research is taking a hard look at this problematic pachyderm. Here are four tips to help you manage supply-chain risk based on this new, in-depth report:
According to Computer Weekly, reporting on the recent Infosecurity Europe 2015 conference in London, "Organizations should include supply chain security as part of their strategy to reduce the risk of data breaches." This should come as no surprise after recent breaches at high-profile retailers that had their origins with third-party suppliers. And while the 451 report notes that companies with mature security programs are well aware of risks presented by third-party software, many don't place supply chain applications and systems as high on their priority lists as they should. Why? Third-party software is climbing the "hierarchy of worry" among enterprise CISOs, but these C-suite members often find themselves stuck "navigating a maze of technical, legal and organizational constraints" just to get suppy-chain risk management on the table.
451 also tackles the popular myth that open-source software is inherently less secure than in-house alternatives. In fact, some respondents described open-source, in-house and third-party software as all presenting the same level of risk. For some companies, this meant all software was tested to the same degree, while in others, a lack of resources meant software — regardless of origin — went untested and therefore unsecured. This is a prime use case for the emerging avenue of cloud-based security testing, which provides enhanced evaluation of all apps on your network without the need for more full-time staff.
The next tip for better supply-chain risk management? Understanding the role of traditional risk classifications in limiting the effectiveness of security. While high-priority systems and services are carefully reviewed and continually screened to ensure both performance and security goals are met, systems in lower risk classes, especially those linked to third-party providers but only peripherally linked to critical corporate systems, are not assessed with the same level of rigor. The result? Malicious programs can slip through — and once they're in, your system at large may be almost impossible to remove.
How do you measure the effectiveness of third-party supply chain vendors? The HBR piece describes an emerging metric: time to survive (TTS), which assesses how long a company could match demand after the failure of a supply chain node. The standard became necessary thanks to the continued optimism of suppliers when it came to providing time-to-recovery estimates; padding these estimates often meant more business or encouraged long-term client partnerships. As 451 discovered, however, while many professionals referred to general standards such as PCI-DDS, ISO 27001 and NIST 800-53, only one mentioned the in-development, supply-specific ISO 27034, and few if any are using new standards such as TTS. Bottom line? Supply chains are detailed, nuanced and extremely complex efforts and need specific standards to reflect this reality.
So how do CISOs point out the elephant and get the boardroom talking? It starts by making supply-chain risk management part of IT priority efforts and recognizing that any piece of supply software is at risk. Increased rigor helps raise the profile of supply risks, while new standards are emerging to address specific issues. It's a big problem, but one that won't be solved by looking away.
Want to go deeper? Check out 451's full report here.
Photo Source: Wikimedia Commons