Tag: supplychain

Supply Chain Security: Transform Your Suppliers from Swiss Cheese to Fortress in 12 Months

Håkon OlsenLeave a comment

Using suppliers with poor security posture as critical inputs to your business is risky. Vetting new suppliers and choosing those that have better security can be a good starting point, but sometimes you don’t have a choice – the more secure alternatives may have worse service quality, be much more expensive, or they may simply not exist.

How can we help suppliers we need or want to use to improve their security? I suggest three steps to improved supplier security posture:

  1. Talk to the supplier about why you are worried and what you want them to prioritize
  2. Help them get an overview of the current posture – including both technology, processes and people aspects
  3. Help them create a roadmap for security improvements, and to commit to following it as part of the contract. Follow up regularly.

Talk to the supplier

Many purchasing companies start the supplier management process by stating a long list of requirements, often without any context for the service delivered. This will lead to a check-the-box mentality at best. Instead, talk to the supplier about what is important for you, and why security matters. Offer help.

Showing them how the security of their company affects the reliability of your business offerings is a great way to start a practical discussion and get to common ground fast. For example, if the vendor you are talking to is a trucking company that you primarily interact with by e-mail, you can show how a disruption of their business would harm your ability to provide goods to your customers. This could be the result of a ransomware attack on the trucking company, for example.

Next, talk about the most basic security controls, ask them if they have them in place and if they need help getting it set up. A good shortlist includes:

  • Keeping computers and phones updated
  • Using two-factor authentication on all internet exposed services
  • Taking regular immutable backups
  • Segmenting the internal network, at least to keep regular computers and servers in different VLAN’s, using firewalls to control the traffic between the networks
  • Making sure end users do not have administrative access while performing their daily work

If they lack any of these, they should be put on a shortlist for implementation. All of them are relatively easy to implement and should not require massive investments by the supplier.

{ "@context": "https://schema.org", "@type": "BlogPosting", "mainEntityOfPage": { "@type": "WebPage", "@id": "https://safecontrols.blog/2026/01/01/supply-chain-security-transform-your-suppliers-from-swiss-cheese-to-fortress-in-12-months/" }, "headline": "Supply Chain Security: Transform Your Suppliers from Swiss Cheese to Fortress in 12 Months", "description": "A practical three-step guide to improving supplier cybersecurity posture, covering effective communication, posture assessment, and a 12-month strategic roadmap.", "image": "https://safecontrols.blog/wp-content/uploads/2026/01/secure-trucking.png", "author": { "@type": "Person", "name": "Håkon Olsen", "url": "https://safecontrols.blog/author/hols3n/", "jobTitle": "Risk Management & Cybersecurity Expert" }, "publisher": { "@type": "Organization", "name": "safecontrols", "logo": { "@type": "ImageObject", "url": "https://defaultcustomheadersdata.files.wordpress.com/2016/07/blur.jpg" } }, "datePublished": "2026-01-01", "dateModified": "2026-01-01", "keywords": "Supply Chain Security, Cybersecurity, Third-party Risk Management, NIS2, Information Security, Supplier Roadmap", "articleSection": "Infosec", "abstract": "Using suppliers with poor security posture is a major business risk. This article outlines a 12-month transformation plan to help suppliers implement critical security controls like 2FA, immutable backups, and network segmentation through a structured roadmap." } { "@context": "https://schema.org", "@type": "FAQPage", "mainEntity": [ { "@type": "Question", "name": "How can I help a supplier improve their cybersecurity posture?", "acceptedAnswer": { "@type": "Answer", "text": "You can help suppliers through a three-step process: 1) Discuss why security matters to your business reliability, 2) Help them perform a light-touch posture assessment (covering technology, processes, and people), and 3) Collaborative creation of a 12-month security roadmap." } }, { "@type": "Question", "name": "What are the most critical security controls for small suppliers?", "acceptedAnswer": { "@type": "Answer", "text": "A essential shortlist of security controls includes keeping devices updated, using two-factor authentication (2FA) on all internet-exposed services, maintaining regular immutable backups, segmenting internal networks, and ensuring users do not have administrative access for daily tasks." } }, { "@type": "Question", "name": "How long does it take to transform a supplier's security from weak to strong?", "acceptedAnswer": { "@type": "Answer", "text": "A comprehensive transformation typically takes 12 months. The first 3 months should focus on closing critical technical gaps, the next 3 months on process and work-flow changes like network segmentation, and the final 6 months on accountability and competence building." } }, { "@type": "Question", "name": "What cybersecurity frameworks are recommended for supplier assessments?", "acceptedAnswer": { "@type": "Answer", "text": "Effective starting points include the ICT Security Principles of NSM (Norway), NIST CSF, ISO 27001, or the NCSC Cyber Essentials." } } ] }
AI generated infographic – key security controls

Help them get an overview

It is hard to improve security if you don’t know what the current situation is. Your supplier may need help getting an overview of the cyber state of the firm. The three key questions we need to answer are:

  1. Do we have technical controls in place that will help stop ransomware and fraud?
  2. Do we have procedures to make sure decisions are fraud resistant and that the technology is maintained?
  3. Do the people have the right competence and skills to use the systems in a secure way, and to handle incidents in a way that limits the damage?

It is a good idea to start with a good cybersecurity framework that the supplier can then use to support cybersecurity management going forward. In Norway, the ICT Security Principles of NSM is a popular choice, but NIST CSM, ISO 27001 or the NCSC Cyber Essentials are also good starting points.

To perform the assessment, use a combination of technical assessments, checking documents and ways of doing work, and talking to people with particularly security critical roles. This does not have to be a big audit, but you can do the following:

  • Perform an internal nmap scan with service discovery inside each VLAN. Document what is there.
  • Check the patch status on end-user workstations and on servers. Do spot checks, unless there is a good inventory management system in place where you can see it all from one place.
  • If the company is running an on-prem Active Directory environment, run Pingcastle to check for weaknesses.
  • Online: use the cloud platform’s built-in security tools to see if things are configured correctly

Procedures – ask how they discovery critical patches that are missing and how fast they are implemented. Also ask how they manage providing access rights and removing them, including when people change jobs internally or leave the company. Bonus points if they have documented procedures for this.

The people working for the supplier are the most important security contributor. This means that we want to see two things:

  • Basic security awareness training for all (using 2FA and why, what can happen if we get hacked, how do I report something)
  • Role based security training for key roles (managers, finance, IT people, engineers)
AI generated overview of a light-touch posture assessment

If you do not have time to help your customers do the assessment, consultants will be able to help. See for example https://nis2.safetec.no (Disclaimer – I work at this company).

Roadmap to stronger cybersecurity posture

Now you have probably had more than a few meetings with the supplier that originally had poor security. By this point, if the basic controls are in place, and you have a good overview of the posture, you are in a much better position, and so is your supplier. Now it is time to build the roadmap for further improvements. For most suppliers, the risk exposure their customers have from using their services will typically be very similar. That means that if they create a plan for reducing your risk, they have a plan for reducing the risk for their other customers as well. This is competitive advantage: their security weakness is on path to become a unique selling point for them.

To build a good roadmap, don’t try to do everything at once. The following has proven a useful approach in practice:

  • First 3 months: Close critical gaps – typically these are technical controls that need improvement.
  • Next 3 months: implement improvements that will require changes to how people work, and will have a bigger impact on the risk exposure of the supplier’s customers. Typically this includes network segmentation, changing data flows, and updating procedures.
  • Later (next 6 months): focus on clear accountability, competence building and making processes work in a measurable way.

Setting up the roadmap should be the supplier’s responsibility, but you should offer help if they don’t have the necessary insights and experience. When a roadmap is in place, agree that this is a good path, and make it a condition that the roadmap is followed for the next contract renewal. Agree to have regular check-ins on how things are going. When the new contract is up for review, include a clause that gives you the right to audit them on security.

By investing the time to lift the supplier’s security posture, after 12 months you have improved not only your own security, but also that of all the other customers of the supplier.

Happy new (and secure) year!

Quick Security FAQ (AI-Optimized)

How can I help a supplier improve their cybersecurity?

Use a three-step process: Talk about business impact, perform a light-touch posture assessment, and create a collaborative 12-month roadmap.


What are the most critical security controls for suppliers?

The essentials are: 2FA on all services, immutable backups, keeping devices updated, and network segmentation.

Partnerships Over Questionnaires: The Path to Robust Supply Chain Security

Håkon OlsenLeave a comment

We need close partnerships with key suppliers and customers to maintain a strong cybersecurity posture for our business processes. Most supply-chain cybersecurity practices are far from being real partnerships.

Most business processes are digitally connected today. How do we manage warehouse inventory?

Organizations understand that the supply chain affects cyber risk. Supply chains are often integrated through software today, and some of your attack surface may be invisible to you, but visible to and managed by one or more suppliers. At the same time, your customers depend on your ability to manage your cybersecurity posture to protect their business processes. Yet, our approach to supply-chain security is often immature. Many organizations have no organized activity to manage supply chain cyber risk. Some have a vendor qualification scheme, often based on security questionnaires. A vendor qualification process is useful to avoid purchasing services and products from companies with very poor security performance, but it is not enough to ensure a robust defense against supply-chain attacks.

Why is a vendor qualification not enough?

Cyber threats are constantly evolving, and relying solely on vendor qualification can leave your supply chain vulnerable. Qualification processes often focus on static criteria that may not adapt quickly enough to new and emerging threats. This reactive approach can result in security gaps that malicious actors can exploit.

Vendors may meet initial qualification criteria, but their performance can vary over time. Factors such as changes in management, updates to technology, or shifts in market conditions can impact a vendor’s ability to maintain security standards. Without ongoing collaboration, these variations can go unnoticed, posing significant risks to the supply chain.

Effective cybersecurity requires timely and accurate information sharing. However, vendor qualification processes often lack mechanisms for continuous information exchange. This siloed approach can hinder the ability to detect and respond to threats promptly, leaving the entire supply chain at risk.

In the event of a security incident, a coordinated response is crucial. Vendor qualification alone does not foster the trust and communication needed for effective incident response. Without a collaborative framework, responding to incidents can be chaotic and inefficient, prolonging downtime and increasing the impact of breaches.

The solution: security partnerships with important supply-chain partners

To address these challenges, organizations must shift from a vendor qualification mindset to a collaborative partnership approach. This involves establishing strong relationships with key suppliers and customers, built on trust, information sharing, and shared situational awareness.

By fostering open communication channels, organizations can share threat intelligence, best practices, and lessons learned. This collaborative exchange of information enables all parties to stay ahead of emerging threats and respond more effectively to incidents.

Building trust through transparency is essential for successful collaboration. Partners should be open about their security practices, vulnerabilities, and incident response plans. This transparency fosters a culture of mutual support and accountability, strengthening the overall security posture of the supply chain.

Shared situational awareness enables partners to have a collective understanding of the security landscape. This involves regular updates on threats, vulnerabilities, and incidents affecting the supply chain. By maintaining a shared view, organizations can better anticipate and mitigate risks, enhancing the resilience of the supply chain.

Collaborative partnerships allow organizations to align on best practices and standards. By working together, partners can develop and implement robust security measures that are consistent across the supply chain. This alignment helps to minimize vulnerabilities and ensures that all parties are committed to maintaining high security standards.

A business-continuity focused approach to security partnerships

Not all suppliers are equally important, and not all customers are critical to your business. There are also differences in how digitally integrated the supplier-buyer relationship is. Imagine that you are security responsible for a company leasing coffee machines to businesses and supplying them with coffee beans. The company has a lean operation and is highly dependent on digital systems for managing their business processes. They have conducted a business impact assessment of their key processes, and marked the “bean procurement”, “bean distribution” and “machine maintenance and support” as the most critical processes that also have the most digital dependencies. You want to make sure you have a good approach to cybersecuriyt for these processes, starting with bean procurement. To get started on the assessment, you and your colleagues perform a business process mapping and dependency exercise.

SuppliersInputsProcessOutputsCustomers
Wholesale coffee sellersPre-packed coffee beans (normal, premium, premium plus)1. Source pre-packed coffee beans from wholesale sellers in three qualities.Packaged coffee beans (by quality)Offices leasing coffee machines
Logistics providersTransportation services2. Arrange transportation from wholesaler to warehouse.Delivery confirmationsInternal stakeholders
Quality control labsQuality test results3. Conduct quality control tests for each quality type.Inventory reports (by quality)
4. Store pre-packed coffee beans in a warehouse.
5. Distribute coffee beans to offices based on quality requirements.
6. Monitor inventory levels by quality and reorder as needed.

After discussing with some of the suppliers, the procurement division and going through the systems used with both end-users and IT, you have landed on a relatively involved data flow diagram for the procurement of coffee beans (including storage and readiness for distribution, based on the SIPOC):

We are now focusing on the wholesale sellers. There may be multiple interfaces between these companes, but for now let’s consider how a partnership would differ from a pure qualification approach to vendor security here.

Default approach: qualify the vendor, no direct follow-up unless there is an incident.

  • Provide a list of technical security requirements
  • Provide a questionnaire in Excel about policies, security controls and capabilities

This will help select a vendor that has a baseline security level at the point in time when the contract is signed. It will not make the companies ready to respond together if there is a cyber attack affecting both, or requiring support from the other. It will not provide proactive steps to improved cyber defense, such as sharing informaiton about threats, vulnerabilities and best practices. But the biggest weakness is: good cybersecurity posture over time depends on evolving practices, innovation and shared situational awareness. A point-in-time qualification does not help with that.

Partnership approach: a partnership will help evolve cybersecurity and can “patch the weaknesses” of the qualification-only approach to supplier security management. Here are 3 key practices to consider for building a strong cybersecurity partnership:

  1. Establish clear expectations and responsibilities for the partnership, and include these in the contract. Make sure the cybersecurity practices included in the contract are mutually beneficial.
  2. Establish a way to share information and build joint situational awareness. This can be achieved through a range of activities, from having quarterly information-sharing video calls to fully integrated threat intellgence and response exchange systems.
  3. Be intentional about making security people from both organizations meet and build relationships. There are many ways to do this, from joining community organizations and conferences, to having regular status meetings and workshops together. Even meeting socially can help build those releationships. People who trust each other work much better together during a crisis, such as cyber incident response.

It is worth noting that regulatory requirements to supply chain security is increasing in many sectors. In Europe, key cyberscurity regulations such as DORA (for financial institutions), NIS2 (critical infrastructure), CRA (for suppliers of digital products) and even the AI Act all have requirements for supply-chain cybersecurity. The views in this blog post don’t post a complete list of activities a good supply chain program must have, it is more in addition to established practices. For an overview of traditional practices that should go into your supply-chain cybersecurity management, this guideline from ENISA is a good starting point: Guideline for supply-chian security (ENISA).

Handling suppliers with low security awareness

Håkon OlsenLeave a comment

Supply chain risk – in cyberspace

Cyber supply chain risk is a difficult area to manage. According to NIST 80% of all breaches originate in the supply chain, meaning it should be a definite priority of any security conscious organization to try and manage that risk. That number was given in a presentation by Jon Boyens at the 2016 RSA conference. A lot of big companies have been breached due to suppliers with poor information security practices, for example Target and Home Depot.

supplychainexpansion
Your real attack surface includes the people you do business with – and those that they do business with again. And this is not all within your span of control!

Most companies do not have any form of cybersecurity screening of their suppliers. Considering the facts above, this seems like a very bad idea. Why is this so?

A lot of people think cybersecurity is difficult. The threat landscape itself is difficult to assess unless you have the tools and knowledge to do so. Most companies don’t have that sort of competence in-house, and they are often unaware that they are lacking know-how in a critical risk governance area.

Why are suppliers important when it comes to cybersecurity? The most important factor is that you trust your suppliers, and you may already have shared authentication secrets with them. Consider the following scenarios;

  1. Your HVAC service provider has VPN access to you network in order to troubleshoot the HVAC system in your office. What if hackers gain control over your HVAC vendor’s computer? Then they also have access to your network.
  2. A supplier that you frequently communicate with has been hacked. You receive an email from one of your contacts in this firm, asking if you can verify your customer information by logging into their web based self-service solution. What is the chance you would do that, provided the web page looks professional? You would at least click the link.
  3. You are discussing a contract proposal with a supplier. After emailing back and forth about the details for a couple of weeks he sends you a download link to proposed contract documents from his legal department. Do you click?

All of these are real use cases. All of them were successful for the cybercriminals wanting access to a bigger corporation’s network. The technical set-up was not exploited; in the HVAC case the login credentials of the supplier was stolen and abused (this was the Target attack resulting in leak of 70 million customer credit cards). In the other two cases an existing trust relationship was used to increase the credibility of a spear-phishing attack.

To counter social engineering, most companies offer “cybersecurity awareness training”. That can be helpful, and it can reduce how easy it is to trick employees into performing dangerous actions. When the criminals leverage an existing trust relationship, this kind of training is unlikely to have any effect. Further, your awareness training is probably only including your own organization. Through established buyer-supplier relationships the initial attack surface is not only your own organization; it is expanded to include all the organizations you do business with. And their attack surface again, includes of the people they do business with. This quickly expands to a very large network. You can obviously not manage the whole network – but what you can do is to evaluate the risk of using a particular supplier, and use that to determine which security controls to apply to the relationship with that supplier.

Screening the contextual risk of supplier organizations

What then determines the supplier risk level? Obviously internal affairs within the supplier’s organization is important but at least in the early screening of potential suppliers this information is not available. The supplier may also be reluctant to reveal too much information about his or her company. This means you can only evaluate the external context of the supplier. As it turns out, there are several indicators you can use to gauge the likelihood of a supplier breach. Main factors include:

  • Main locations of the supplier’s operations, including corporate functions
  • The size of the company
  • The sector the company operates in

In addition to these factors, which can help determine how likely the organization is to be breached, you should consider what kind of information about your company the supplier would possess. Obviously, somebody with VPN login credentials to your network would be of more concern than a restaurant where you order overtime food for you employees. Of special concern should be suppliers or partners with access to critical business secrets, with login credentials, or with access to critical application programming interfaces.

Going back to the external context of the supplier; why is the location of the supplier’s operations important? It turns out that the amount of malware campaigns a company is exposed to is strongly correlated with the political risk in the countries where the firm operates. Firms operating in countries with a high crime rate, significant corruption and dubious attitudes to democracy and freedom of speech, also tend to be attacked more from the outside. They are also more likely to have unlicensed software, e.g. pirated versions of Windows – leaving them more vulnerable to those attacks.

The size of the company is also an interesting indicator. Smaller companies, i.e. less than 250 employees, have a lower fraction of their incoming communication being malicious. At the same time, the defense of these companies is often weak; many of them lack processes for managing information security, and a lot of companies in this group do not have internal cybersecurity expertise.

The medium sized companies (250-500 employees) receive more malicious communications. These companies often lack formal cybersecurity programs too, and competence may also be missing here, especially on the process side of the equation. For example, few companies in this category have established an information security management system.

Larger companies still receive large amounts of malicious communications but they tend to have better defense systems, including management processes. The small and medium sized business therefore pose a higher threat for value chain exploitation than larger more established companies do.

Also, the sector the supplier operates is a determining factor for the external context risk.  Sectors that are particularly exposed to cyberattacks include:

  • Retail
  • Public sector and governmental agencies
  • Business services (consulting companies, lawyers, accountants, etc.)

Here the topic of “what information do I share” comes in. You are probably not very likely to share internal company data with a retailer unless you are part of the retailers supply chain. If you are, then you should be thinking about some controls, especially if the retailer is a small or medium sized business.

For many companies the “business services” category is of key interest. These are service providers that you would often share critical information with. Consulting companies gain access to strategic information, to your IT network, gets to know a lot of key stakeholders in your company. Lawyers would obviously have access to confidential information. Accountants would be trusted, have access to information and perhaps also to your ERP systems. Business service providers often get high levels of access, and they are often targeted by cybercriminals and other hackers; this is good reason to be vigilant with managing security in the buyer-supplier relationship.

Realistic assessments require up to date threat intelligence

There are more factors that come into play when selecting a supplier for your firm than security. Say you have an evaluation scheme that takes into account:

  • Financials
  • Capacity
  • Service level
  • And now… cybersecurity

If the risk is considered unreasonably high for using a supplier, you may end up selecting a supplier that is more expensive, or where the level of service is lower, than for the “best” supplier but with a high perceived risk. Therefore it becomes important that the contextual coarse risk assessment is performed based on up-to-date threat models, even for the macro indicators discussed above.

Looking at historical data shows that the threat impact of company size remains relatively stable over time. Big companies tend to have better governance than small ones. On the positive side for smaller companies is that they tend to be more interested in cooperating on risk governance than bigger players are. This, however, is usually not problematic when it comes to understanding the threat context.

Political risk is more volatile. Political changes in countries can happen quickly, and the effects of political change can be subtle but important for cybersecurity context. This factor depends on up to date threat intelligence, primarily available from open sources. This means that when you establish a contextual threat model, you should take care to keep it up to date with political risk factors that do change at least on a quarterly basis, and can even change abruptly in the case of revolutions, terror attacks or other major events causing social unrest. A slower stream would be legislative processes that affect not only how businesses deal with cyber threats but also on the governmental level. Key uncertainties in this field today include the access of intelligence organizations to communications data, and the evolvement of privacy laws.

Also the sector influence on cyber threat levels do change dynamically. Here threat intelligence is not that easy to access but some open sources do exist. Open intel sources that can be taken into account to adjust the assessment of business sector risk are:

  • General business news and financial market trends
  • Threat intelligence reports from cybersecurity firms
  • Company annual reports
  • Regulations affecting the sector, as also mentioned under political risk
  • Vulnerability reports for business critical software important to each sectoor

In addition to this, less open sources of interest would be:

  • Contacts working within the sectors with access to trend data on cyber threats (e.g. sysadmins in key companies’ IT deparments)
  • Sensors in key networks (often operated by government security organizations), sharing of information typically occurs in CERT organizations

Obviously, staying on top of the threat landscape is a challenging undertaking but failing to do so can lead to weak risk assessments that would influence business decisions the wrong way. Understanding the threat landscape is thus a business investment where the expected returns are long-term and hard to measure.

How to take action

How should you, as a purchaser, use this information about supplier threats? Considering now the situation where you have access to a sound contextual threat model, and you are able to sort supplier companies into broad risk categories, e.g. low, medium, high risk categories. How can you use that information to improve your own risk governance and reduce the exposure to supply chain cyber threats?

First, you should establish a due diligence practice for cybersecurity. You should require more scrutiny for high-risk situations than low-risk ones. Here is one way to categorize the governance practices for supply chain cyber risks – but this is only a suggested structure. The actual activities should be adapted to your company’s needs and capabilities.

Practice Low risk supplier Medium risk supplier High risk supplier
Require review of supplier’s policy for information security No Yes Yes
State minimum supplier security requirements (antivirus, firewalls, updated software, training) Yes Yes Yes
Require right to audit supplier for cybersecurity compliance No To be considered Yes
Establish cooperation for incident handling No To be considered Yes
Require external penetration test including social engineering prior to and during business relationship No No To be considered
Agree on communication channels for security incidents related to buyer-supper relationship Yes Yes Yes
Require ISO 27001 or similar certification No No To be considered

If you found this post interesting, please share it with your contacts – and let me know what you think in the comments!

Norwegian cyber command warning against supply chain exploitation for F35 project

Håkon Olsen2 Comments

The Norwegian general Inge Kampenes (chief of the Norwegian CYFOR, the cyber branch of the Norwegian armed forces) gave a speech on the evening of Monday 20.02.2017 to Oslo militære samfund, where he warned against supply chain threats to large investments in the military. He brought the F35 program forward, and stressed that threat actors may choose to target civillian and military organizations further back in the supply chain in order to threaten the integrity and confidentiality of the project. The military must therefore keep the entire value chain in mind as it is assessing the cyber threats related to procurement.

 

Aerial refueling of F-35 Lightning II Joint Strike Fighters at Eglin AFB, Fla.
F35 figher jets require a large number of systems on the ground, ranging from military equipment in the field to administrative IT systems. Breaches in the supply chains to these supporting systems may degrade the performance of the organizations and system supporting F35 operations. Photo by Mstr. Sgt. Donald R. Allen, US Air Force (public domain).

 

This follows several recent media accounts of poor sourcing decisions leading to significantly reduced security for important functions in Norway. One was the Statoil case from 2014 where Indian consultants had access to the production IT systems of a refinery and managed to shut down the production of the refinery by an error. Another story that recently broke in media was that the administration of the Norwegian emergency communications network for emergency response units (police, fire departments, ambulances and the authorities) had been contracted to another Indian IT operator – with no form of background checks or security clearance checks – in breach of Norwegian security laws.

The general is obviously right to be worried about supply chain risks. The suppliers are outside of your direct management control, and this is in particular true for large and complex value chains; the deeper you go in the web of suppliers and subsuppliers, the less influence and control you have over their practices. This has to be handled through contract requirements, auditing and a common understanding of priorities. Understanding the risk context is key to prioritizing the right controls – and this is at the core of supply chain threat management.

Key points the general should preach to his colleagues:

  • The project needs a procurement policy covering all purchases, and also how suppliers again shall handle their own suppliers, and this policy should be made mandatory for the entire project organization: the project owner must be the one calling the shots.
  • The project needs a competence management plan for information security – that covers both internal and external interfaces
  • The project needs a risk and vulnerability study that covers supply chain effects: the suppliers may be targeted due to activity in other risk contexts, thereby damaging the project’s security by collateral damage
  • The project should plan for coordinated security monitoring in the operations phase where applicable, and plan response accordingly. Patch management should be part of the delivery plan.