We need close partnerships with key suppliers and customers to maintain a strong cybersecurity posture for our business processes. Most supply-chain cybersecurity practices are far from being real partnerships.
Most business processes are digitally connected today. How do we manage warehouse inventory?
Organizations understand that the supply chain affects cyber risk. Supply chains are often integrated through software today, and some of your attack surface may be invisible to you, but visible to and managed by one or more suppliers. At the same time, your customers depend on your ability to manage your cybersecurity posture to protect their business processes. Yet, our approach to supply-chain security is often immature. Many organizations have no organized activity to manage supply chain cyber risk. Some have a vendor qualification scheme, often based on security questionnaires. A vendor qualification process is useful to avoid purchasing services and products from companies with very poor security performance, but it is not enough to ensure a robust defense against supply-chain attacks.
Why is a vendor qualification not enough?
Cyber threats are constantly evolving, and relying solely on vendor qualification can leave your supply chain vulnerable. Qualification processes often focus on static criteria that may not adapt quickly enough to new and emerging threats. This reactive approach can result in security gaps that malicious actors can exploit.
Vendors may meet initial qualification criteria, but their performance can vary over time. Factors such as changes in management, updates to technology, or shifts in market conditions can impact a vendor’s ability to maintain security standards. Without ongoing collaboration, these variations can go unnoticed, posing significant risks to the supply chain.
Effective cybersecurity requires timely and accurate information sharing. However, vendor qualification processes often lack mechanisms for continuous information exchange. This siloed approach can hinder the ability to detect and respond to threats promptly, leaving the entire supply chain at risk.
In the event of a security incident, a coordinated response is crucial. Vendor qualification alone does not foster the trust and communication needed for effective incident response. Without a collaborative framework, responding to incidents can be chaotic and inefficient, prolonging downtime and increasing the impact of breaches.
The solution: security partnerships with important supply-chain partners
To address these challenges, organizations must shift from a vendor qualification mindset to a collaborative partnership approach. This involves establishing strong relationships with key suppliers and customers, built on trust, information sharing, and shared situational awareness.
By fostering open communication channels, organizations can share threat intelligence, best practices, and lessons learned. This collaborative exchange of information enables all parties to stay ahead of emerging threats and respond more effectively to incidents.
Building trust through transparency is essential for successful collaboration. Partners should be open about their security practices, vulnerabilities, and incident response plans. This transparency fosters a culture of mutual support and accountability, strengthening the overall security posture of the supply chain.
Shared situational awareness enables partners to have a collective understanding of the security landscape. This involves regular updates on threats, vulnerabilities, and incidents affecting the supply chain. By maintaining a shared view, organizations can better anticipate and mitigate risks, enhancing the resilience of the supply chain.
Collaborative partnerships allow organizations to align on best practices and standards. By working together, partners can develop and implement robust security measures that are consistent across the supply chain. This alignment helps to minimize vulnerabilities and ensures that all parties are committed to maintaining high security standards.
A business-continuity focused approach to security partnerships
Not all suppliers are equally important, and not all customers are critical to your business. There are also differences in how digitally integrated the supplier-buyer relationship is. Imagine that you are security responsible for a company leasing coffee machines to businesses and supplying them with coffee beans. The company has a lean operation and is highly dependent on digital systems for managing their business processes. They have conducted a business impact assessment of their key processes, and marked the “bean procurement”, “bean distribution” and “machine maintenance and support” as the most critical processes that also have the most digital dependencies. You want to make sure you have a good approach to cybersecuriyt for these processes, starting with bean procurement. To get started on the assessment, you and your colleagues perform a business process mapping and dependency exercise.
| Suppliers | Inputs | Process | Outputs | Customers |
|---|---|---|---|---|
| Wholesale coffee sellers | Pre-packed coffee beans (normal, premium, premium plus) | 1. Source pre-packed coffee beans from wholesale sellers in three qualities. | Packaged coffee beans (by quality) | Offices leasing coffee machines |
| Logistics providers | Transportation services | 2. Arrange transportation from wholesaler to warehouse. | Delivery confirmations | Internal stakeholders |
| Quality control labs | Quality test results | 3. Conduct quality control tests for each quality type. | Inventory reports (by quality) | |
| 4. Store pre-packed coffee beans in a warehouse. | ||||
| 5. Distribute coffee beans to offices based on quality requirements. | ||||
| 6. Monitor inventory levels by quality and reorder as needed. |
After discussing with some of the suppliers, the procurement division and going through the systems used with both end-users and IT, you have landed on a relatively involved data flow diagram for the procurement of coffee beans (including storage and readiness for distribution, based on the SIPOC):
We are now focusing on the wholesale sellers. There may be multiple interfaces between these companes, but for now let’s consider how a partnership would differ from a pure qualification approach to vendor security here.
Default approach: qualify the vendor, no direct follow-up unless there is an incident.
- Provide a list of technical security requirements
- Provide a questionnaire in Excel about policies, security controls and capabilities
This will help select a vendor that has a baseline security level at the point in time when the contract is signed. It will not make the companies ready to respond together if there is a cyber attack affecting both, or requiring support from the other. It will not provide proactive steps to improved cyber defense, such as sharing informaiton about threats, vulnerabilities and best practices. But the biggest weakness is: good cybersecurity posture over time depends on evolving practices, innovation and shared situational awareness. A point-in-time qualification does not help with that.
Partnership approach: a partnership will help evolve cybersecurity and can “patch the weaknesses” of the qualification-only approach to supplier security management. Here are 3 key practices to consider for building a strong cybersecurity partnership:
- Establish clear expectations and responsibilities for the partnership, and include these in the contract. Make sure the cybersecurity practices included in the contract are mutually beneficial.
- Establish a way to share information and build joint situational awareness. This can be achieved through a range of activities, from having quarterly information-sharing video calls to fully integrated threat intellgence and response exchange systems.
- Be intentional about making security people from both organizations meet and build relationships. There are many ways to do this, from joining community organizations and conferences, to having regular status meetings and workshops together. Even meeting socially can help build those releationships. People who trust each other work much better together during a crisis, such as cyber incident response.
It is worth noting that regulatory requirements to supply chain security is increasing in many sectors. In Europe, key cyberscurity regulations such as DORA (for financial institutions), NIS2 (critical infrastructure), CRA (for suppliers of digital products) and even the AI Act all have requirements for supply-chain cybersecurity. The views in this blog post don’t post a complete list of activities a good supply chain program must have, it is more in addition to established practices. For an overview of traditional practices that should go into your supply-chain cybersecurity management, this guideline from ENISA is a good starting point: Guideline for supply-chian security (ENISA).
safecontrols 