Security in the Supply Chain
24/10/2018 – Author: Andy Gibbs – Security Consultant
Protecting technology and data is becoming more complex
Once, the Chief Security Officer’s role of protecting an organisation’s IT and data assets extended to the physical or logical security boundaries of the organisation, and arguably, there it stopped. However, with the onset of mobile working, BYOD, virtualisation and cloud computing, today’s challenge is far more complex. Organisations are responding to an unrelenting rate of technological development by buying-in services rather than extending their capabilities in-house. IT services have become increasingly commoditised and there are strong financial and operational arguments for acquiring infrastructure and business software ‘as-a-Service’ rather than self-hosting.
Dependency upon the supply chain for security in increasing
However, in this highly connected mutually interdependent world, an organisation’s previously well defined security boundaries have become very blurred, now extending well into the infrastructure and services of its suppliers and beyond into their supply base. Recognising this change, security standards such as ISO 27001 have been revised in recent years to put much greater emphasis on security in the supply chain. Businesses must now demonstrate an active programme of security management of their supplier base.
Validating security in the supply chain is challenging
But how do you go about rating and mitigating the security threats to your organisation from your interconnected digital supply base when you are no longer in full control?
This challenge has often been devolved to the procurement / supplier management team, who are often under-resourced and technically poorly equipped to undertake the role. Traditionally, their approach has been to fire off a multi-paged security questionnaire to the supplier, usually compiled by someone in IT, and based upon a list of security controls cribbed from a security standard (eg. ISO 27001 Appendix A). On receipt of this, the supplier’s account management / sales administration might hopefully liaise with their own IT function to prepare a response. This will be presented back to the customer with the best possible spin for fear of upsetting or losing them. The organisation then has to decide whether they actually believe the response they’ve received and grade it, and any uncertainty may trigger further supplier checks and audits. For most, this process is arduous, time-consuming and at best highly subjective.
Is there another better way?
Wouldn’t it be great if there were a fast and simple evidence-based way of assessing the security posture of your key digital services suppliers, using a consistent scoring methodology? And supposing the supplier could automatically receive feedback on any shortcomings they have with guidance on what needs to be fixed, then make improvements as a part of a continual improvement programme, and see their rating improve as issues are fixed.
A new breed of supplier security management tools have appeared on the market that do just that. One such tool is SecurityScoreCard. This allows you to establish a baseline score for each of your digital suppliers and track their changing threat profile in near real-time, with daily alerts to let you know if there have been any significant changes – good or bad. Where issues are identified, a critique is provided and supported with technical guidance on what areas of improvement can be made, allowing for a more constructive dialogue with your supplier. The tool even allows your supplier to subscribe to their own threat-assessment, allowing them to self-manage their security improvement programme without excessive oversight from you.
Our evaluation of SecurityScoreCard
Somerford Associates has evaluated SecurityScoreCard, applying it to our own supply-base as a proof-of-concept. Using our own scorecard to drive a supplier security improvement programme, we have been able to achieve a near-100% score in under six-months. In doing-so we have eradicated a whole bunch of technical issues in our supply-base to which we were previously oblivious. Furthermore, we’ve found that responsible suppliers have openly welcomed the constructive feedback, together with helpful guidance notes on remediation, often using this as valuable input to their own continual improvement programmes. The tool has allowed us to track our and our suppliers’ progress on fixing the issues using simple trend graphs, and report this to interested stakeholders week-on-week.
As with any security tool, SecurityScoreCard will not guarantee you’ll never have a security issue, but it does provide an easy-to-use, objective and helpful technique for actively managing security in your supply chain in real-time.
Not sure how to contact us?
Schedule a call with one of our certified engineers and pre sales team. Or drop us a line if you have any questions.