To have a strong infrastructure supply chain, CISOs need to evaluate the cyber resilience of their vendors.
The supply chain industry has faced a difficult time over the past couple of years. The onset of pandemic placed heavy in-person restrictions in place, severely hampering the supply chain operations of every organization. It also exposed the vulnerabilities present in the infrastructure. In fact, as per a report from Revenera, titled “The 2022 State of the Software Supply Chain Report,” 64% of the supply chain organizations in 2021 suffered a cyber-attack.
Such cyber-attacks have impacted the revenue and the corporate brand and market reputation. Therefore, organizations need to take steps towards strengthening their supply chain operations and infrastructure. They should strive to make their supply chain resilient, taking a coherent approach to supply chain risk management (SCRM).
Here are a few steps that CISOs can take to build a robust supply chain framework:
Create multiple sources
If one of the vendors suffered from a cyber-attack, it halts the operations for all the stakeholders associated with the business. Such reliance on a single source disrupts the supply chain and exposes every entity involved in the business. Thus, to avoid this scenario in the future, organizations should conduct multisource operations to mitigate the risk. However, designing a multisource strategy requires supply chain leaders to know their supplier networks in-depth. They should categorize their suppliers not just with expenditure but also by revenue impact if a security incident occurs. Another way to achieve multi-sourcing is by giving business to additional suppliers operating from multiple locations.
Verify the resilience plans of vendors
Most vendors these days claim to have a cyber-resilience infrastructure in place. However, relying on their plain statement instead of verifying it with in-depth insights can leave the organization vulnerable to cyber-attacks. This is especially true for systemically critical vendors that the organization is heavily reliant on to deliver their products/services, which deserve the focus for resilience. After identifying and inventing, CISOs should make it a point to ask these vendors how they perform their resilience planning and testing. Instead of simply asking them questions and getting the answers, CISOs should evaluate the cyber resilience of the vendors with physical validation. Whether it is simply a table-top exercise or actual fail-over testing, cooperating with these critical vendors creates a sense of assurance of safety against cyber-attacks if a security incident occurs.
Decrease concentration risk
After confirming the inventory and validation of third-party vendors, another risk that can hurt the cyber-resilience is associated with concentration risk. Most of the services are performed in a single location with a single vendor. Today’s cloud world is often concentrated in a cloud service provider and a geographic location. As a result, the solution can differ and enables an organization to spread the risk.
Organizations should ensure the fail-over region for their cloud service provider the vendor opts for has been tested for. CISOs should physically validate that they are testing their product for a fail-over to the designated region and identify how long it takes them to do this work. Another approach is to identify a way to deploy to another region than where the concentration risk is currently present.